diff --git a/packages/cisco/changelog.yml b/packages/cisco/changelog.yml index d37671b90c1..25aa36491a9 100644 --- a/packages/cisco/changelog.yml +++ b/packages/cisco/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.13.2" + changes: + - description: Make fields agree with ECS + type: bugfix + link: https://github.com/elastic/integrations/pull/3018 - version: "0.13.1" changes: - description: Add documentation for multi-fields diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json index f3701aab74a..da607a99cf5 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json @@ -1,52 +1,68 @@ { "expected": [ { - "log": { - "level": "informational" + "@timestamp": "2022-05-05T17:51:17.000Z", + "cisco": { + "asa": { + "connection_id": "111111111", + "destination_interface": "fw111", + "mapped_destination_ip": "81.2.69.144", + "mapped_destination_port": 53500, + "mapped_source_ip": "81.2.69.144", + "mapped_source_port": 53500, + "source_interface": "net" + } }, "destination": { - "nat": { - "ip": "81.2.69.144" - }, "address": "192.168.2.2", - "port": 53500, - "ip": "192.168.2.2" - }, - "source": { + "ip": "192.168.2.2", "nat": { "ip": "81.2.69.144" }, - "address": "10.10.10.10", - "port": 53500, - "ip": "10.10.10.10" + "port": 53500 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "inbound", "iana_number": "6", - "transport": "tcp", - "direction": "inbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "net" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "fw111" - } - } - }, - "@timestamp": "2021-05-05T17:51:17.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -58,82 +74,81 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057627392Z", - "original": "May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "nat": { + "ip": "81.2.69.144" + }, + "port": 53500 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T17:51:17.000Z", "cisco": { "asa": { + "connection_id": "111111111", "destination_interface": "fw111", - "mapped_source_port": 53500, "mapped_destination_ip": "81.2.69.144", + "mapped_destination_port": 53500, "mapped_source_ip": "81.2.69.144", - "connection_id": "111111111", - "source_interface": "net", - "mapped_destination_port": 53500 + "mapped_source_port": 53500, + "source_interface": "net" } - } - }, - { - "log": { - "level": "informational" }, "destination": { - "nat": { - "ip": "81.2.69.144" - }, "address": "192.168.2.2", - "port": 53500, - "ip": "192.168.2.2" - }, - "source": { + "ip": "192.168.2.2", "nat": { "ip": "81.2.69.144" }, - "address": "10.10.10.10", - "port": 53500, - "ip": "10.10.10.10" + "port": 53500 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302015", + "kind": "event", + "original": "May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "inbound", "iana_number": "17", - "transport": "udp", - "direction": "inbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "net" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "fw111" - } - } - }, - "@timestamp": "2021-05-05T17:51:17.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -145,56 +160,57 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "nat": { + "ip": "81.2.69.144" + }, + "port": 53500 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T17:51:17.000Z", + "cisco": { + "asa": { + "icmp_code": 3, + "icmp_type": 3, + "mapped_source_ip": "81.2.69.144" + } + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057630410Z", - "original": "May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302020", + "kind": "event", + "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3", + "severity": 6, "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "fw111", - "mapped_source_port": 53500, - "mapped_destination_ip": "81.2.69.144", - "mapped_source_ip": "81.2.69.144", - "connection_id": "111111111", - "source_interface": "net", - "mapped_destination_port": 53500 - } - } - }, - { + "host": { + "hostname": "dev01" + }, "log": { "level": "informational" }, - "destination": { - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "nat": { - "ip": "81.2.69.144" - }, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "protocol": "icmp", - "direction": "inbound" + "direction": "inbound", + "protocol": "icmp" }, "observer": { "hostname": "dev01", @@ -202,10 +218,6 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T17:51:17.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -216,48 +228,61 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "nat": { + "ip": "81.2.69.144" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T17:51:17.000Z", + "cisco": { + "asa": { + "source_interface": "net" + } + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057630905Z", - "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3", - "code": "302020", - "kind": "event", "action": "flow-expiration", "category": [ "network" ], + "code": "609002", + "duration": 0, + "end": "2022-05-05T17:51:17.000Z", + "kind": "event", + "original": "May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", + "severity": 7, + "start": "2022-05-05T17:51:17.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "mapped_source_ip": "81.2.69.144", - "icmp_type": 3, - "icmp_code": 3 - } - } - }, - { - "observer": { - "ingress": { - "interface": { - "name": "net" + "host": { + "hostname": "dev01" + }, + "log": { + "level": "debug" + }, + "observer": { + "hostname": "dev01", + "ingress": { + "interface": { + "name": "net" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T17:51:17.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -266,59 +291,55 @@ "192.168.2.2" ] }, - "log": { - "level": "debug" - }, - "host": { - "hostname": "dev01" - }, "source": { "address": "192.168.2.2", "ip": "192.168.2.2" }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T17:51:17.000Z", + "cisco": { + "asa": { + "source_interface": "net" + } + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 7, - "duration": 0, - "ingested": "2021-12-14T14:36:13.057631270Z", - "original": "May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", - "code": "609002", - "kind": "event", - "start": "2021-05-05T17:51:17.000Z", "action": "flow-expiration", - "end": "2021-05-05T17:51:17.000Z", "category": [ "network" ], + "code": "609001", + "kind": "event", + "original": "May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2", + "severity": 7, "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "source_interface": "net" - } + "host": { + "hostname": "dev01" + }, + "log": { + "level": "debug" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { + "hostname": "dev01", "ingress": { "interface": { "name": "net" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T17:51:17.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -327,61 +348,53 @@ "192.168.2.2" ] }, - "log": { - "level": "debug" - }, - "host": { - "hostname": "dev01" - }, "source": { "address": "192.168.2.2", "ip": "192.168.2.2" }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T17:51:17.000Z", + "cisco": { + "asa": { + "icmp_code": 1, + "icmp_type": 3, + "mapped_source_ip": "81.2.69.144" + } + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 7, - "ingested": "2021-12-14T14:36:13.057631640Z", - "original": "May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2", - "code": "609001", - "kind": "event", "action": "flow-expiration", "category": [ "network" ], + "code": "302020", + "kind": "event", + "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 1", + "severity": 6, "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "source_interface": "net" - } + "host": { + "hostname": "dev01" }, - "tags": [ - "preserve_original_event" - ] - }, - { "log": { "level": "informational" }, - "destination": { - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "nat": { - "ip": "81.2.69.144" - }, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "protocol": "icmp", - "direction": "inbound" + "direction": "inbound", + "protocol": "icmp" }, "observer": { "hostname": "dev01", @@ -389,10 +402,6 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T17:51:17.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -403,77 +412,78 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057632027Z", - "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 1", - "code": "302020", - "kind": "event", - "action": "flow-expiration", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "nat": { + "ip": "81.2.69.144" + } }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T17:51:17.000Z", "cisco": { "asa": { + "connection_id": "111111111", + "destination_interface": "fw111", + "mapped_destination_ip": "81.2.69.144", + "mapped_destination_port": 111, "mapped_source_ip": "81.2.69.144", - "icmp_type": 3, - "icmp_code": 1 + "mapped_source_port": 111, + "source_interface": "fw111" } - } - }, - { - "log": { - "level": "informational" }, "destination": { - "nat": { - "ip": "81.2.69.144" - }, "address": "192.168.2.2", - "port": 111, - "ip": "192.168.2.2" - }, - "source": { + "ip": "192.168.2.2", "nat": { "ip": "81.2.69.144" }, - "address": "10.10.10.10", - "port": 111, - "ip": "10.10.10.10" + "port": 111 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "805001", + "kind": "event", + "original": "May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (81.2.69.144/111) to fw111:192.168.2.2/111 (81.2.69.144/111)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "transport": "tcp flow" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "fw111" } }, "hostname": "dev01", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "fw111" } - } - }, - "@timestamp": "2021-05-05T17:51:17.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "hosts": [ @@ -485,75 +495,77 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "nat": { + "ip": "81.2.69.144" + }, + "port": 111 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T17:51:17.000Z", + "cisco": { + "asa": { + "connection_id": "941243214", + "destination_interface": "fw109", + "mapped_destination_ip": "10.192.70.66", + "mapped_destination_port": 443, + "mapped_source_ip": "10.192.18.4", + "mapped_source_port": 51261, + "source_interface": "net" + } + }, + "destination": { + "address": "10.192.70.66", + "ip": "10.192.70.66", + "port": 443 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057632384Z", - "original": "May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (81.2.69.144/111) to fw111:192.168.2.2/111 (81.2.69.144/111)", - "code": "805001", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "805002", + "kind": "event", + "original": "May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "fw111", - "mapped_source_port": 111, - "mapped_destination_ip": "81.2.69.144", - "mapped_source_ip": "81.2.69.144", - "connection_id": "111111111", - "source_interface": "fw111", - "mapped_destination_port": 111 - } - } - }, - { + "host": { + "hostname": "dev01" + }, "log": { "level": "informational" }, - "destination": { - "port": 443, - "address": "10.192.70.66", - "ip": "10.192.70.66" - }, - "source": { - "port": 51261, - "address": "10.192.18.4", - "ip": "10.192.18.4" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "fw109" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "net" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "fw109" - } - } - }, - "@timestamp": "2021-05-05T17:51:17.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -564,70 +576,65 @@ "10.192.70.66" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.192.18.4", + "ip": "10.192.18.4", + "port": 51261 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T17:51:17.000Z", + "cisco": { + "asa": { + "destination_interface": "fw111" + } + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 67 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057632745Z", - "original": "May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)", - "code": "805002", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "710005", + "kind": "event", + "original": "May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", + "outcome": "failure", + "severity": 7, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "asa": { - "destination_interface": "fw109", - "mapped_source_port": 51261, - "mapped_destination_ip": "10.192.70.66", - "mapped_source_ip": "10.192.18.4", - "connection_id": "941243214", - "source_interface": "net", - "mapped_destination_port": 443 - } - } - }, - { + "host": { + "hostname": "dev01" + }, "log": { "level": "debug" }, - "destination": { - "port": 67, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "port": 68, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { - "hostname": "dev01", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", "egress": { "interface": { "name": "fw111" } - } - }, - "@timestamp": "2021-05-05T17:51:17.000Z", - "ecs": { - "version": "1.12.0" + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "hosts": [ @@ -638,73 +645,76 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 68 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T17:51:17.000Z", + "cisco": { + "asa": { + "destination_interface": "fw111", + "source_interface": "net" + } + }, + "client": { + "user": { + "name": "testuser" + } + }, + "destination": { + "address": "10.192.18.4", + "ip": "10.192.18.4", + "port": 21 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 7, - "ingested": "2021-12-14T14:36:13.057633632Z", - "original": "May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", - "code": "710005", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "303002", + "kind": "event", + "original": "May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log", + "severity": 6, "type": [ - "info", - "denied" - ], - "outcome": "failure" + "info" + ] }, - "cisco": { - "asa": { - "destination_interface": "fw111" - } - } - }, - { - "log": { - "level": "informational" + "file": { + "path": "/export/home/sysm/ftproot/sdsdsds/tmp.log" }, - "destination": { - "port": 21, - "address": "10.192.18.4", - "ip": "10.192.18.4" + "host": { + "hostname": "dev01" }, - "source": { - "port": 63656, - "address": "192.168.2.2", - "ip": "192.168.2.2" + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "ftp" }, "observer": { + "egress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "net" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "fw111" - } - } - }, - "@timestamp": "2021-05-05T17:51:17.000Z", - "file": { - "path": "/export/home/sysm/ftproot/sdsdsds/tmp.log" - }, - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -715,150 +725,146 @@ "10.192.18.4" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 63656 }, - "client": { - "user": { - "name": "testuser" - } + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T17:51:17.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057634031Z", - "original": "May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log", - "code": "303002", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "710006", + "kind": "event", + "original": "May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4", + "severity": 7, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "fw111", - "source_interface": "net" - } - } - }, - { + "host": { + "hostname": "dev01" + }, + "log": { + "level": "debug" + }, "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T17:51:17.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" ] }, - "log": { - "level": "debug" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T17:51:17.000Z", + "cisco": { + "asa": { + "source_interface": "fw111" + } }, - "host": { - "hostname": "dev01" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 7, - "ingested": "2021-12-14T14:36:13.057634409Z", - "original": "May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4", - "code": "710006", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "313005", + "kind": "event", + "original": "May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 81.2.69.144/10872.", + "severity": 4, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "dev01" + }, + "log": { + "level": "warning" + }, + "network": { + "iana_number": "1", + "transport": "icmp" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { + "hostname": "dev01", "ingress": { "interface": { "name": "fw111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T17:51:17.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" ] }, - "log": { - "level": "warning" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:16:21.000Z", + "cisco": { + "asa": { + "icmp_code": 0, + "icmp_type": 8, + "mapped_source_ip": "81.2.69.144" + } }, - "host": { - "hostname": "dev01" + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:13.057634959Z", - "original": "May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 81.2.69.144/10872.", - "code": "313005", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302021", + "kind": "event", + "original": "May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 81.2.69.144/2 laddr 10.10.10.10/2 type 8 code 0", + "severity": 6, "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "source_interface": "fw111" - } + "host": { + "hostname": "dev01" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "1", - "transport": "icmp" - } - }, - { "log": { "level": "informational" }, - "destination": { - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "source": { - "nat": { - "ip": "81.2.69.144" - }, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" @@ -869,10 +875,6 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T18:16:21.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -883,48 +885,58 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "nat": { + "ip": "81.2.69.144" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:22:35.000Z", + "cisco": { + "asa": { + "source_interface": "net" + } + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057635336Z", - "original": "May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 81.2.69.144/2 laddr 10.10.10.10/2 type 8 code 0", - "code": "302021", - "kind": "event", "action": "flow-expiration", "category": [ "network" ], + "code": "609001", + "kind": "event", + "original": "May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10", + "severity": 7, "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "mapped_source_ip": "81.2.69.144", - "icmp_type": 8, - "icmp_code": 0 - } - } - }, - { + "host": { + "hostname": "dev01" + }, + "log": { + "level": "debug" + }, "observer": { + "hostname": "dev01", "ingress": { "interface": { "name": "net" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T18:22:35.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -933,56 +945,58 @@ "10.10.10.10" ] }, - "log": { - "level": "debug" - }, - "host": { - "hostname": "dev01" - }, "source": { "address": "10.10.10.10", "ip": "10.10.10.10" }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:24:31.000Z", + "cisco": { + "asa": { + "source_interface": "identity" + } + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 7, - "ingested": "2021-12-14T14:36:13.057635687Z", - "original": "May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10", - "code": "609001", - "kind": "event", "action": "flow-expiration", "category": [ "network" ], + "code": "609002", + "duration": 0, + "end": "2022-05-05T18:24:31.000Z", + "kind": "event", + "original": "May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", + "severity": 7, + "start": "2022-05-05T18:24:31.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "source_interface": "net" - } + "host": { + "hostname": "dev01" + }, + "log": { + "level": "debug" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { + "hostname": "dev01", "ingress": { "interface": { "name": "identity" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T18:24:31.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -991,64 +1005,51 @@ "10.10.10.10" ] }, - "log": { - "level": "debug" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10" }, - "host": { - "hostname": "dev01" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:29:32.000Z", + "cisco": { + "asa": { + "mapped_source_ip": "81.2.69.144" + } }, - "source": { + "destination": { "address": "10.10.10.10", "ip": "10.10.10.10" }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 7, - "duration": 0, - "ingested": "2021-12-14T14:36:13.057636049Z", - "original": "May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", - "code": "609002", - "kind": "event", - "start": "2021-05-05T18:24:31.000Z", "action": "flow-expiration", - "end": "2021-05-05T18:24:31.000Z", "category": [ "network" ], + "code": "302020", + "kind": "event", + "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 10.192.46.90/0", + "severity": 6, "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "source_interface": "identity" - } + "host": { + "hostname": "dev01" }, - "tags": [ - "preserve_original_event" - ] - }, - { "log": { "level": "informational" }, - "destination": { - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "nat": { - "ip": "81.2.69.144" - }, - "address": "10.192.46.90", - "ip": "10.192.46.90" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "protocol": "icmp", - "direction": "inbound" + "direction": "inbound", + "protocol": "icmp" }, "observer": { "hostname": "dev01", @@ -1056,10 +1057,6 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T18:29:32.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -1070,51 +1067,56 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.192.46.90", + "ip": "10.192.46.90", + "nat": { + "ip": "81.2.69.144" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:29:32.000Z", + "cisco": { + "asa": { + "icmp_code": 3, + "icmp_type": 3, + "mapped_source_ip": "81.2.69.144" + } + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057636410Z", - "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 10.192.46.90/0", - "code": "302020", - "kind": "event", "action": "flow-expiration", "category": [ "network" ], + "code": "302020", + "kind": "event", + "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3", + "severity": 6, "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "mapped_source_ip": "81.2.69.144" - } - } - }, - { + "host": { + "hostname": "dev01" + }, "log": { "level": "informational" }, - "destination": { - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "nat": { - "ip": "81.2.69.144" - }, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "protocol": "icmp", - "direction": "outbound" + "direction": "outbound", + "protocol": "icmp" }, "observer": { "hostname": "dev01", @@ -1122,10 +1124,6 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T18:29:32.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -1136,73 +1134,78 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "nat": { + "ip": "81.2.69.144" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:29:32.000Z", + "cisco": { + "asa": { + "connection_id": "2960892904", + "destination_interface": "fw111", + "source_interface": "out111" + } + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 55225 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057636881Z", - "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3", - "code": "302020", - "kind": "event", "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2022-05-05T18:29:32.000Z", + "kind": "event", + "original": "May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2022-05-05T18:29:32.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "mapped_source_ip": "81.2.69.144", - "icmp_type": 3, - "icmp_code": 3 - } - } - }, - { + "host": { + "hostname": "dev01" + }, "log": { "level": "informational" }, - "destination": { - "port": 55225, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "source": { - "port": 443, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 0, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "out111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "fw111" - } - } - }, - "@timestamp": "2021-05-05T18:29:32.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -1213,83 +1216,78 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" - }, - "event": { - "severity": 6, - "duration": 0, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:13.057637245Z", - "original": "May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2021-05-05T18:29:32.000Z", - "action": "flow-expiration", - "end": "2021-05-05T18:29:32.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 443 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:29:32.000Z", "cisco": { "asa": { - "destination_interface": "fw111", - "connection_id": "2960892904", - "source_interface": "out111" + "connection_id": "1588662", + "destination_interface": "net", + "mapped_destination_ip": "81.2.69.144", + "mapped_destination_port": 54839, + "mapped_source_ip": "81.2.69.144", + "mapped_source_port": 80, + "source_interface": "intfacename" } - } - }, - { - "log": { - "level": "informational" }, "destination": { - "nat": { - "ip": "81.2.69.144" - }, "address": "10.10.10.10", - "port": 54839, - "ip": "10.10.10.10" - }, - "source": { + "ip": "10.10.10.10", "nat": { "ip": "81.2.69.144" }, - "address": "192.168.2.2", - "port": 80, - "ip": "192.168.2.2" + "port": 54839 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (81.2.69.144/80) to net:10.10.10.10/54839 (81.2.69.144/54839)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "intfacename" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "net" - } - } - }, - "@timestamp": "2021-05-05T18:29:32.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -1301,75 +1299,76 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "nat": { + "ip": "81.2.69.144" + }, + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:29:32.000Z", + "cisco": { + "asa": { + "destination_interface": "out111", + "source_interface": "fw111" + } + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 54230 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057637610Z", - "original": "May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (81.2.69.144/80) to net:10.10.10.10/54839 (81.2.69.144/54839)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302012", + "duration": 0, + "end": "2022-05-05T18:29:32.000Z", + "kind": "event", + "original": "May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", + "severity": 6, + "start": "2022-05-05T18:29:32.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "net", - "mapped_source_port": 80, - "mapped_destination_ip": "81.2.69.144", - "mapped_source_ip": "81.2.69.144", - "connection_id": "1588662", - "source_interface": "intfacename", - "mapped_destination_port": 54839 - } - } - }, - { + "host": { + "hostname": "dev01" + }, "log": { "level": "informational" }, - "destination": { - "port": 54230, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "source": { - "port": 54230, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "out111" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "fw111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "out111" - } - } - }, - "@timestamp": "2021-05-05T18:29:32.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -1380,68 +1379,66 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 54230 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:40:50.000Z", + "cisco": { + "asa": { + "icmp_type": 0, + "source_interface": "fw502" + } + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:13.057637986Z", - "original": "May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", - "code": "302012", - "kind": "event", - "start": "2021-05-05T18:29:32.000Z", - "action": "flow-expiration", - "end": "2021-05-05T18:29:32.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "313004", + "kind": "event", + "original": "May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", + "outcome": "failure", + "severity": 4, "type": [ - "connection", - "end" + "info", + "denied" ] }, - "cisco": { - "asa": { - "destination_interface": "out111", - "source_interface": "fw111" - } - } - }, - { + "host": { + "hostname": "dev01" + }, "log": { "level": "warning" }, - "destination": { - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "source": { - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" }, "observer": { + "hostname": "dev01", "ingress": { "interface": { "name": "fw502" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T18:40:50.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -1451,72 +1448,68 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:40:50.000Z", + "cisco": { + "asa": { + "destination_interface": "out111", + "source_interface": "fw111" + } + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 57006 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:13.057638359Z", - "original": "May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", - "code": "313004", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006", + "severity": 6, "type": [ - "info", - "denied" - ], - "outcome": "failure" + "info" + ] + }, + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": { - "icmp_type": 0, - "source_interface": "fw502" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 57006, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "source": { - "port": 57006, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "out111" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "fw111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "out111" - } - } - }, - "@timestamp": "2021-05-05T18:40:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -1527,67 +1520,67 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 57006 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:40:50.000Z", + "cisco": { + "asa": { + "source_interface": "out111" + } + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 14322 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057638717Z", - "original": "May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106001", + "kind": "event", + "original": "May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", + "outcome": "failure", + "severity": 2, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "asa": { - "destination_interface": "out111", - "source_interface": "fw111" - } - } - }, - { + "host": { + "hostname": "dev01" + }, "log": { "level": "critical" }, - "destination": { - "port": 14322, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "port": 43803, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "inbound", "iana_number": "6", - "transport": "tcp", - "direction": "inbound" + "transport": "tcp" }, "observer": { + "hostname": "dev01", "ingress": { "interface": { "name": "out111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T18:40:50.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -1597,72 +1590,75 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 43803 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:40:50.000Z", + "cisco": { + "asa": { + "connection_id": "1671727", + "destination_interface": "net", + "source_interface": "intfacename" + } + }, + "destination": { + "address": "1192.168.2.2", + "domain": "1192.168.2.2", + "port": 53356 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:13.057639099Z", - "original": "May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", - "code": "106001", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 124000000000, + "end": "2022-05-05T18:40:50.000Z", + "kind": "event", + "original": "May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:1192.168.2.2/53356 duration 0:02:04 bytes 64585", + "severity": 2, + "start": "2022-05-05T18:38:46.000Z", "type": [ - "info", - "denied" - ], - "outcome": "failure" + "connection", + "end" + ] + }, + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": { - "source_interface": "out111" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "port": 53356, - "address": "1192.168.2.2", - "domain": "1192.168.2.2" - }, - "source": { - "port": 161, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 64585, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "intfacename" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "net" - } - } - }, - "@timestamp": "2021-05-05T18:40:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -1673,82 +1669,78 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" - }, - "event": { - "severity": 2, - "duration": 124000000000, - "ingested": "2021-12-14T14:36:13.057639576Z", - "original": "May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:1192.168.2.2/53356 duration 0:02:04 bytes 64585", - "code": "302016", - "kind": "event", - "start": "2021-05-05T18:38:46.000Z", - "action": "flow-expiration", - "end": "2021-05-05T18:40:50.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 161 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:40:50.000Z", "cisco": { "asa": { + "connection_id": "1743372", "destination_interface": "net", - "connection_id": "1671727", + "mapped_destination_ip": "81.2.69.144", + "mapped_destination_port": 22638, + "mapped_source_ip": "81.2.69.144", + "mapped_source_port": 161, "source_interface": "intfacename" } - } - }, - { - "log": { - "level": "critical" }, "destination": { - "nat": { - "ip": "81.2.69.144" - }, "address": "192.168.2.2", - "port": 22638, - "ip": "192.168.2.2" - }, - "source": { + "ip": "192.168.2.2", "nat": { "ip": "81.2.69.144" }, - "address": "10.10.10.10", - "port": 161, - "ip": "10.10.10.10" + "port": 22638 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302015", + "kind": "event", + "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638)", + "severity": 2, + "type": [ + "info" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "critical" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "intfacename" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "net" - } - } - }, - "@timestamp": "2021-05-05T18:40:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -1760,82 +1752,81 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" - }, - "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:13.057639938Z", - "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "nat": { + "ip": "81.2.69.144" + }, + "port": 161 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:40:50.000Z", "cisco": { "asa": { + "connection_id": "1743372", "destination_interface": "net", - "mapped_source_port": 161, "mapped_destination_ip": "81.2.69.144", + "mapped_destination_port": 22638, "mapped_source_ip": "81.2.69.144", - "connection_id": "1743372", - "source_interface": "intfacename", - "mapped_destination_port": 22638 + "mapped_source_port": 161, + "source_interface": "intfacename" } - } - }, - { - "log": { - "level": "critical" }, "destination": { - "nat": { - "ip": "81.2.69.144" - }, "address": "192.168.2.2", - "port": 22638, - "ip": "192.168.2.2" - }, - "source": { + "ip": "192.168.2.2", "nat": { "ip": "81.2.69.144" }, - "address": "10.10.10.10", - "port": 161, - "ip": "10.10.10.10" + "port": 22638 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302015", + "kind": "event", + "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638)", + "severity": 2, + "type": [ + "info" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "critical" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "intfacename" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "net" - } - } - }, - "@timestamp": "2021-05-05T18:40:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -1847,75 +1838,75 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "nat": { + "ip": "81.2.69.144" + }, + "port": 161 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:40:50.000Z", + "cisco": { + "asa": { + "destination_interface": "out111", + "rule_name": "out1111_access_out", + "source_interface": "fw111" + } + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 443 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:13.057640297Z", - "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", + "outcome": "failure", + "severity": 4, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "asa": { - "destination_interface": "net", - "mapped_source_port": 161, - "mapped_destination_ip": "81.2.69.144", - "mapped_source_ip": "81.2.69.144", - "connection_id": "1743372", - "source_interface": "intfacename", - "mapped_destination_port": 22638 - } - } - }, - { + "host": { + "hostname": "dev01" + }, "log": { "level": "warning" }, - "destination": { - "port": 443, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "source": { - "port": 64388, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "fw111" + "name": "out111" } }, "hostname": "dev01", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { - "name": "out111" + "name": "fw111" } - } - }, - "@timestamp": "2021-05-05T18:40:50.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "hosts": [ @@ -1926,67 +1917,65 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 64388 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T18:40:50.000Z", + "cisco": { + "asa": { + "source_interface": "fw111" + } + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:13.057640742Z", - "original": "May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106021", + "kind": "event", + "original": "May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": { - "destination_interface": "out111", - "rule_name": "out1111_access_out", - "source_interface": "fw111" - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "hostname": "dev01", "ingress": { "interface": { "name": "fw111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T18:40:50.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -1996,68 +1985,66 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:58.000Z", + "cisco": { + "asa": { + "source_interface": "fw111" + } + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 65020 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:13.057641120Z", - "original": "May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", - "code": "106021", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106006", + "kind": "event", + "original": "May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": { - "source_interface": "fw111" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "port": 65020, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "port": 65020, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "inbound", "iana_number": "17", - "transport": "udp", - "direction": "inbound" + "transport": "udp" }, "observer": { + "hostname": "dev01", "ingress": { "interface": { "name": "fw111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T19:02:58.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -2067,67 +2054,66 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 65020 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:58.000Z", + "cisco": { + "asa": { + "source_interface": "out111" + } + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 443 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:13.057641481Z", - "original": "May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", - "code": "106006", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106015", + "kind": "event", + "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", + "outcome": "failure", + "severity": 6, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": { - "source_interface": "fw111" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 443, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "port": 53089, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "hostname": "dev01", "ingress": { "interface": { "name": "out111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T19:02:58.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -2137,67 +2123,66 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 53089 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:58.000Z", + "cisco": { + "asa": { + "source_interface": "out111" + } + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 443 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057641836Z", - "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", - "code": "106015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106015", + "kind": "event", + "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", + "outcome": "failure", + "severity": 6, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": { - "source_interface": "out111" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 443, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "port": 17127, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "hostname": "dev01", "ingress": { "interface": { "name": "out111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T19:02:58.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -2207,67 +2192,66 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 17127 }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057642198Z", - "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", - "code": "106015", - "kind": "event", - "action": "firewall-rule", + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:58.000Z", + "cisco": { + "asa": { + "source_interface": "fw111" + } + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 443 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", "category": [ "network" ], + "code": "106015", + "kind": "event", + "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", + "outcome": "failure", + "severity": 6, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": { - "source_interface": "out111" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 443, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "port": 24223, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "hostname": "dev01", "ingress": { "interface": { "name": "fw111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T19:02:58.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -2277,71 +2261,69 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 24223 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:58.000Z", + "cisco": { + "asa": { + "destination_interface": "net", + "source_interface": "fw1111" + } + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 10051 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057642558Z", - "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", - "code": "106015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302022", + "kind": "event", + "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051)", + "severity": 6, "type": [ - "info", - "denied" - ], - "outcome": "failure" + "info" + ] + }, + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": { - "source_interface": "fw111" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 10051, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "source": { - "port": 38540, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "fw1111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "net" - } - } - }, - "@timestamp": "2021-05-05T19:02:58.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -2352,70 +2334,69 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 38540 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:58.000Z", + "cisco": { + "asa": { + "destination_interface": "net", + "source_interface": "fw111" + } + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 10051 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057642918Z", - "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051)", - "code": "302022", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302022", + "kind": "event", + "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "net", - "source_interface": "fw1111" - } - } - }, - { + "host": { + "hostname": "dev01" + }, "log": { "level": "informational" }, - "destination": { - "port": 10051, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "source": { - "port": 38540, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "fw111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "net" - } - } - }, - "@timestamp": "2021-05-05T19:02:58.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -2426,70 +2407,69 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 38540 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:58.000Z", + "cisco": { + "asa": { + "destination_interface": "net", + "source_interface": "fw111" + } + }, + "destination": { + "address": "192.1682.2.2", + "domain": "192.1682.2.2", + "port": 10051 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057643280Z", - "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051)", - "code": "302022", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302022", + "kind": "event", + "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (81.2.69.144/10051)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "net", - "source_interface": "fw111" - } - } - }, - { + "host": { + "hostname": "dev01" + }, "log": { "level": "informational" }, - "destination": { - "port": 10051, - "address": "192.1682.2.2", - "domain": "192.1682.2.2" - }, - "source": { - "port": 38540, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "fw111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "net" - } - } - }, - "@timestamp": "2021-05-05T19:02:58.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -2500,71 +2480,74 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 38540 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:58.000Z", + "cisco": { + "asa": { + "destination_interface": "net", + "source_interface": "fw111" + } + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 10051 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057643750Z", - "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (81.2.69.144/10051)", - "code": "302022", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302023", + "duration": 0, + "end": "2022-05-05T19:02:58.000Z", + "kind": "event", + "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", + "reason": "Cluster flow with CLU closed on owner", + "severity": 6, + "start": "2022-05-05T19:02:58.000Z", "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "net", - "source_interface": "fw111" - } - } - }, - { + "host": { + "hostname": "dev01" + }, "log": { "level": "informational" }, - "destination": { - "port": 10051, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "source": { - "port": 39210, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 0, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "fw111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "net" - } - } - }, - "@timestamp": "2021-05-05T19:02:58.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -2575,75 +2558,74 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 39210 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:58.000Z", + "cisco": { + "asa": { + "destination_interface": "unknown", + "source_interface": "net" + } + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 39222 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "Cluster flow with CLU closed on owner", - "ingested": "2021-12-14T14:36:13.057644110Z", - "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", - "code": "302023", - "kind": "event", - "start": "2021-05-05T19:02:58.000Z", "action": "firewall-rule", - "end": "2021-05-05T19:02:58.000Z", "category": [ "network" ], + "code": "302023", + "duration": 0, + "end": "2022-05-05T19:02:58.000Z", + "kind": "event", + "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", + "reason": "Forwarding or redirect flow removed to create director or backup flow", + "severity": 6, + "start": "2022-05-05T19:02:58.000Z", "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "net", - "source_interface": "fw111" - } - } - }, - { + "host": { + "hostname": "dev01" + }, "log": { "level": "informational" }, - "destination": { - "port": 39222, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "source": { - "port": 10051, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 0, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "unknown" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "net" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "unknown" - } - } - }, - "@timestamp": "2021-05-05T19:02:58.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -2654,176 +2636,172 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 10051 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:03:27.000Z", + "cisco": { + "asa": { + "command_line_arguments": "show access-list fw211111_access_out brief" + } + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "Forwarding or redirect flow removed to create director or backup flow", - "ingested": "2021-12-14T14:36:13.057644480Z", - "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", - "code": "302023", - "kind": "event", - "start": "2021-05-05T19:02:58.000Z", "action": "firewall-rule", - "end": "2021-05-05T19:02:58.000Z", "category": [ "network" ], + "code": "111009", + "kind": "event", + "original": "May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief", + "severity": 7, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "unknown", - "source_interface": "net" + "host": { + "hostname": "dev01", + "user": { + "name": "aaaa" } - } - }, - { + }, + "log": { + "level": "debug" + }, "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T19:03:27.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "aaaa" - ], "hosts": [ "dev01" + ], + "user": [ + "aaaa" ] }, - "log": { - "level": "debug" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:26.000Z", + "cisco": { + "asa": { + "command_line_arguments": "show access-list aaa_out brief" + } }, - "host": { - "user": { - "name": "aaaa" - }, - "hostname": "dev01" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 7, - "ingested": "2021-12-14T14:36:13.057644837Z", - "original": "May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief", - "code": "111009", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "111009", + "kind": "event", + "original": "May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief", + "severity": 7, "type": [ "info" ] }, - "cisco": { - "asa": { - "command_line_arguments": "show access-list fw211111_access_out brief" + "host": { + "hostname": "dev01", + "user": { + "name": "aaaa" } }, - "tags": [ - "preserve_original_event" - ] - }, - { + "log": { + "level": "debug" + }, "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T19:02:26.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "aaaa" - ], "hosts": [ "dev01" + ], + "user": [ + "aaaa" ] }, - "log": { - "level": "debug" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:26.000Z", + "cisco": { + "asa": { + "destination_interface": "fw111", + "rule_name": "fw111_out", + "source_interface": "ptaaac" + } }, - "host": { - "user": { - "name": "aaaa" - }, - "hostname": "dev01" + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 3452 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 7, - "ingested": "2021-12-14T14:36:13.057645193Z", - "original": "May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief", - "code": "111009", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -\u003e fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", + "outcome": "success", + "severity": 6, "type": [ - "info" + "info", + "allowed" ] }, - "cisco": { - "asa": { - "command_line_arguments": "show access-list aaa_out brief" - } + "host": { + "hostname": "dev01" }, - "tags": [ - "preserve_original_event" - ] - }, - { "log": { "level": "informational" }, - "destination": { - "port": 3452, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "port": 62157, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "ptaaac" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "fw111" - } - } - }, - "@timestamp": "2021-05-05T19:02:26.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -2834,73 +2812,72 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 62157 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:26.000Z", + "cisco": { + "asa": { + "destination_interface": "fw111", + "rule_name": "fw111_out", + "source_interface": "net" + } + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 6007 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057645554Z", - "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -\u003e fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -\u003e fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", + "outcome": "success", + "severity": 6, "type": [ "info", "allowed" - ], - "outcome": "success" + ] + }, + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": { - "destination_interface": "fw111", - "rule_name": "fw111_out", - "source_interface": "ptaaac" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 6007, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "port": 49033, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "net" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "fw111" - } - } - }, - "@timestamp": "2021-05-05T19:02:26.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -2911,154 +2888,149 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 49033 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:26.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057645905Z", - "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -\u003e fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302027", + "kind": "event", + "original": "May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner", + "severity": 6, "type": [ - "info", - "allowed" - ], - "outcome": "success" + "info" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "cisco": { - "asa": { - "destination_interface": "fw111", - "rule_name": "fw111_out", - "source_interface": "net" - } - } - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T19:02:26.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:26.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "dev01" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057646262Z", - "original": "May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner", - "code": "302027", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302026", + "kind": "event", + "original": "May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (81.2.69.144)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T19:02:26.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:26.000Z", + "cisco": { + "asa": { + "destination_interface": "net" + } }, - "host": { - "hostname": "dev01" + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 1985 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057646638Z", - "original": "May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (81.2.69.144)", - "code": "302026", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "710005", + "kind": "event", + "original": "May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", + "outcome": "failure", + "severity": 7, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "dev01" }, - "tags": [ - "preserve_original_event" - ] - }, - { "log": { "level": "debug" }, - "destination": { - "port": 1985, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "source": { - "port": 1985, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "17", - "transport": "udp" + "network": { + "iana_number": "17", + "transport": "udp" }, "observer": { - "hostname": "dev01", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", "egress": { "interface": { "name": "net" } - } - }, - "@timestamp": "2021-05-05T19:02:26.000Z", - "ecs": { - "version": "1.12.0" + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "hosts": [ @@ -3069,156 +3041,155 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 1985 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:26.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 7, - "ingested": "2021-12-14T14:36:13.057646992Z", - "original": "May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", - "code": "710005", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302025", + "kind": "event", + "original": "May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout", + "severity": 6, "type": [ - "info", - "denied" - ], - "outcome": "failure" + "info" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "cisco": { - "asa": { - "destination_interface": "net" - } - } - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T19:02:26.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:26.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "dev01" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057647348Z", - "original": "May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout", - "code": "302025", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302024", + "kind": "event", + "original": "May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (81.2.69.144/123)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T19:02:26.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:26.000Z", + "cisco": { + "asa": { + "destination_interface": "fw111", + "source_interface": "fw111" + } }, - "host": { - "hostname": "dev01" + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057647704Z", - "original": "May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (81.2.69.144/123)", - "code": "302024", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106014", + "kind": "event", + "original": "May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", + "outcome": "failure", + "severity": 3, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "dev01" }, - "tags": [ - "preserve_original_event" - ] - }, - { "log": { "level": "error" }, - "destination": { - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "inbound", "iana_number": "1", - "transport": "icmp", - "direction": "inbound" + "transport": "icmp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "fw111" } }, "hostname": "dev01", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "fw111" } - } - }, - "@timestamp": "2021-05-05T19:02:26.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "hosts": [ @@ -3228,125 +3199,122 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:25.000Z", + "cisco": { + "asa": { + "burst": { + "avg_rate": "7", + "configured_avg_rate": "-4", + "configured_rate": "-4", + "cumulative_count": "9063", + "current_rate": "0", + "id": "rate-1", + "object": "192.168.2.2" + } + } + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 3, - "ingested": "2021-12-14T14:36:13.057648068Z", - "original": "May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", - "code": "106014", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "733100", + "kind": "event", + "original": "May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063", + "severity": 4, "type": [ - "info", - "denied" - ], - "outcome": "failure" + "info" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "warning" }, - "cisco": { - "asa": { - "destination_interface": "fw111", - "source_interface": "fw111" - } - } - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-05-05T19:02:25.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" ] }, - "log": { - "level": "warning" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:25.000Z", + "cisco": { + "asa": { + "destination_interface": "fw111", + "source_interface": "fw111" + } }, - "host": { - "hostname": "dev01" + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 2 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:13.057648427Z", - "original": "May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063", - "code": "733100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106010", + "kind": "event", + "original": "May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", + "outcome": "failure", + "severity": 3, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "asa": { - "burst": { - "configured_avg_rate": "-4", - "cumulative_count": "9063", - "configured_rate": "-4", - "avg_rate": "7", - "current_rate": "0", - "id": "rate-1", - "object": "192.168.2.2" - } - } + "host": { + "hostname": "dev01" }, - "tags": [ - "preserve_original_event" - ] - }, - { "log": { "level": "error" }, - "destination": { - "port": 2, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "port": 5114, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "transport": "sctp", - "direction": "inbound" + "direction": "inbound", + "transport": "sctp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "fw111" } }, "hostname": "dev01", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "fw111" } - } - }, - "@timestamp": "2021-05-05T19:02:25.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "hosts": [ @@ -3356,72 +3324,69 @@ "10.10.10.10" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 5114 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-05T19:02:25.000Z", + "cisco": { + "asa": { + "destination_interface": "out111", + "source_interface": "fw111" + } + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 80 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 3, - "ingested": "2021-12-14T14:36:13.057648780Z", - "original": "May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", - "code": "106010", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "507003", + "kind": "event", + "original": "May 5 19:02:25 dev01: %ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet.", + "severity": 4, "type": [ - "info", - "denied" - ], - "outcome": "failure" + "info" + ] + }, + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": { - "destination_interface": "fw111", - "source_interface": "fw111" - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "port": 80, - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "source": { - "port": 49574, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "out111" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "fw111" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "out111" - } - } - }, - "@timestamp": "2021-05-05T19:02:25.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -3432,61 +3397,54 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 49574 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T04:18:49.000Z", + "cisco": { + "asa": {} + }, + "destination": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:13.057649137Z", - "original": "May 5 19:02:25 dev01: %ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet.", - "code": "507003", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "304001", + "kind": "event", + "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", + "outcome": "success", + "severity": 5, "type": [ - "info" + "info", + "allowed" ] }, - "cisco": { - "asa": { - "destination_interface": "out111", - "source_interface": "fw111" - } - } - }, - { + "host": { + "hostname": "dev01" + }, "log": { "level": "notification" }, - "destination": { - "address": "10.20.30.40", - "ip": "10.20.30.40" - }, - "source": { - "address": "10.20.30.40", - "ip": "10.20.30.40" - }, - "url": { - "path": "/", - "original": "http://10.20.30.40/", - "scheme": "http", - "domain": "10.20.30.40" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-04-27T04:18:49.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -3495,60 +3453,59 @@ "10.20.30.40" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "10.20.30.40", + "original": "http://10.20.30.40/", + "path": "/", + "scheme": "http" + } + }, + { + "@timestamp": "2022-04-27T04:18:49.000Z", + "cisco": { + "asa": {} + }, + "destination": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:13.057649999Z", - "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", - "code": "304001", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "304001", + "kind": "event", + "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", + "outcome": "success", + "severity": 5, "type": [ "info", "allowed" - ], - "outcome": "success" + ] + }, + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": {} - } - }, - { "log": { "level": "notification" }, - "destination": { - "address": "10.20.30.40", - "ip": "10.20.30.40" - }, - "source": { - "address": "10.20.30.40", - "ip": "10.20.30.40" - }, - "url": { - "path": "/IOFUHSIU98[0]", - "original": "http://10.20.30.40/IOFUHSIU98[0]", - "scheme": "http", - "domain": "10.20.30.40" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-04-27T04:18:49.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -3557,60 +3514,59 @@ "10.20.30.40" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "10.20.30.40", + "original": "http://10.20.30.40/IOFUHSIU98[0]", + "path": "/IOFUHSIU98[0]", + "scheme": "http" + } + }, + { + "@timestamp": "2022-04-27T17:54:52.000Z", + "cisco": { + "asa": {} + }, + "destination": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:13.057650412Z", - "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", - "code": "304001", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "304001", + "kind": "event", + "original": "Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", + "outcome": "success", + "severity": 5, "type": [ "info", "allowed" - ], - "outcome": "success" + ] + }, + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": {} - } - }, - { "log": { "level": "notification" }, - "destination": { - "address": "10.20.30.40", - "ip": "10.20.30.40" - }, - "source": { - "address": "10.20.30.40", - "ip": "10.20.30.40" - }, - "url": { - "path": "/some/longer/url-asd-er9789870[0]_=23", - "original": "http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", - "scheme": "http", - "domain": "10.20.30.40" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-04-27T17:54:52.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -3619,60 +3575,59 @@ "10.20.30.40" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "10.20.30.40", + "original": "http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", + "path": "/some/longer/url-asd-er9789870[0]_=23", + "scheme": "http" + } + }, + { + "@timestamp": "2022-04-27T04:18:49.000Z", + "cisco": { + "asa": {} + }, + "destination": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:13.057650767Z", - "original": "Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", - "code": "304001", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "304001", + "kind": "event", + "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", + "outcome": "success", + "severity": 5, "type": [ "info", "allowed" - ], - "outcome": "success" + ] + }, + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": {} - } - }, - { "log": { "level": "notification" }, - "destination": { - "address": "10.20.30.40", - "ip": "10.20.30.40" - }, - "source": { - "address": "10.20.30.40", - "ip": "10.20.30.40" - }, - "url": { - "path": "/", - "original": "http://10.20.30.40/", - "scheme": "http", - "domain": "10.20.30.40" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-04-27T04:18:49.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -3681,250 +3636,256 @@ "10.20.30.40" ] }, - "host": { - "hostname": "dev01" - }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:13.057651143Z", - "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", - "code": "304001", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.20.30.40", + "ip": "10.20.30.40" }, - "cisco": { - "asa": {} + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "10.20.30.40", + "original": "http://10.20.30.40/", + "path": "/", + "scheme": "http" } }, { - "log": { - "level": "informational" + "@timestamp": "2022-04-27T04:12:23.000Z", + "cisco": { + "asa": { + "connection_id": "2751765169", + "destination_interface": "server.deflan", + "source_interface": "server.deflan" + } }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", - "location": { - "lon": -0.0931, - "lat": 51.5142 - } - }, "address": "81.2.69.144", - "port": 9101, - "ip": "81.2.69.144" - }, - "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } - }, - "address": "81.2.69.144", - "port": 54242, - "ip": "81.2.69.144" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "bytes": 245, - "iana_number": "6", - "transport": "tcp" - }, - "observer": { - "ingress": { - "interface": { - "name": "server.deflan" - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "hostname": "dev01", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "server.deflan" - } - } + "ip": "81.2.69.144", + "port": 9101 }, - "@timestamp": "2021-04-27T04:12:23.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "dev01" - ], - "ip": [ - "81.2.69.144" - ] - }, - "host": { - "hostname": "dev01" - }, "event": { - "severity": 6, - "duration": 3602000000000, - "reason": "Connection timeout", - "ingested": "2021-12-14T14:36:13.057651499Z", - "original": "Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.144/54242 to server.deflan:81.2.69.144/9101 duration 1:00:02 bytes 245 Connection timeout", - "code": "302304", - "kind": "event", - "start": "2021-04-27T03:12:21.000Z", "action": "flow-expiration", - "end": "2021-04-27T04:12:23.000Z", "category": [ "network" ], + "code": "302304", + "duration": 3602000000000, + "end": "2022-04-27T04:12:23.000Z", + "kind": "event", + "original": "Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.144/54242 to server.deflan:81.2.69.144/9101 duration 1:00:02 bytes 245 Connection timeout", + "reason": "Connection timeout", + "severity": 6, + "start": "2022-04-27T03:12:21.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "server.deflan", - "connection_id": "2751765169", - "source_interface": "server.deflan" - } - } - }, - { - "log": { - "level": "warning" - }, - "destination": { - "port": 51635, - "address": "192.168.2.2", - "ip": "192.168.2.2" + "host": { + "hostname": "dev01" }, - "source": { - "port": 56444, - "address": "10.10.10.2", - "ip": "10.10.10.2" + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 245, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "outside" + "name": "server.deflan" } }, "hostname": "dev01", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { - "name": "srv" + "name": "server.deflan" } - } - }, - "@timestamp": "2021-04-27T02:02:02.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "hosts": [ "dev01" ], "ip": [ - "10.10.10.2", - "192.168.2.2" + "81.2.69.144" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "81.2.69.144", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 54242 }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:13.057651851Z", - "original": "Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", - "code": "106023", - "kind": "event", + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T02:02:02.000Z", + "cisco": { + "asa": { + "destination_interface": "srv", + "rule_name": "global_access_1", + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 51635 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "warning" + }, + "network": { + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "srv" + } + }, + "hostname": "dev01", + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "dev01" ], - "outcome": "failure" + "ip": [ + "10.10.10.2", + "192.168.2.2" + ] + }, + "source": { + "address": "10.10.10.2", + "ip": "10.10.10.2", + "port": 56444 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2019-10-20T15:15:15.000Z", "cisco": { "asa": { - "destination_interface": "srv", - "rule_name": "global_access_1", - "source_interface": "outside" + "destination_interface": "OUTSIDE", + "rule_name": "testrulename", + "source_interface": "insideintf" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 53, "address": "192.168.157.61", - "ip": "192.168.157.61" + "ip": "192.168.157.61", + "port": 53 }, - "source": { - "port": 27218, - "address": "somedomainname.local", - "domain": "somedomainname.local" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -\u003e OUTSIDE/192.168.157.61(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "outcome": "failure", + "severity": 5, + "type": [ + "info", + "denied" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "OUTSIDE" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "insideintf" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "OUTSIDE" - } - } - }, - "@timestamp": "2019-10-20T15:15:15.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -3935,468 +3896,465 @@ "192.168.157.61" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "somedomainname.local", + "domain": "somedomainname.local", + "port": 27218 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T02:03:03.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:13.057652218Z", - "original": "Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -\u003e OUTSIDE/192.168.157.61(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "111004", + "kind": "event", + "original": "Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK", + "outcome": "success", + "severity": 5, "type": [ "info", - "denied" - ], - "outcome": "failure" + "allowed" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "notification" }, - "cisco": { - "asa": { - "destination_interface": "OUTSIDE", - "rule_name": "testrulename", - "source_interface": "insideintf" - } - } - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01", "console" ] }, - "log": { - "level": "notification" - }, - "host": { - "hostname": "dev01" - }, "source": { "address": "console", "domain": "console" }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T02:03:03.000Z", + "cisco": { + "asa": { + "command_line_arguments": "'clear'" + } + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:13.057652571Z", - "original": "Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK", - "code": "111004", - "kind": "event", "action": "firewall-rule", - "type": [ - "info", - "allowed" - ], "category": [ "network" ], - "outcome": "success" + "code": "111010", + "kind": "event", + "original": "Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear'", + "severity": 5, + "type": [ + "info" + ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "dev01", + "user": { + "name": "enable_15" + } + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "enable_15" - ], "hosts": [ "dev01" ], "ip": [ "10.10.0.87" + ], + "user": [ + "enable_15" ] }, - "log": { - "level": "notification" - }, - "host": { - "user": { - "name": "enable_15" - }, - "hostname": "dev01" - }, "source": { "address": "10.10.0.87", "ip": "10.10.0.87" }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T02:03:03.000Z", + "cisco": { + "asa": { + "privilege": { + "new": "15", + "old": "1" + } + } + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:13.057652923Z", - "original": "Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear'", - "code": "111010", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "502103", + "kind": "event", + "original": "Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15", + "severity": 5, "type": [ "info" ] }, - "cisco": { - "asa": { - "command_line_arguments": "'clear'" + "host": { + "hostname": "dev01", + "user": { + "name": "enable_15" } }, - "tags": [ - "preserve_original_event" - ] - }, - { + "log": { + "level": "notification" + }, "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "enable_15" - ], "hosts": [ "dev01" - ] - }, - "log": { - "level": "notification" - }, - "host": { - "user": { - "name": "enable_15" - }, - "hostname": "dev01" - }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:13.057653274Z", - "original": "Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15", - "code": "502103", - "kind": "event", - "action": "firewall-rule", - "type": [ - "info" ], - "category": [ - "network" + "user": [ + "enable_15" ] }, - "cisco": { - "asa": { - "privilege": { - "new": "15", - "old": "1" - } - } - }, "tags": [ "preserve_original_event" ] }, { - "log": { - "level": "informational" + "@timestamp": "2022-04-27T02:03:03.000Z", + "cisco": { + "asa": { + "destination_interface": "FCD-FS-LAN" + } }, "destination": { "address": "10.10.1.254", "ip": "10.10.1.254" }, - "source": { - "address": "10.10.1.212", - "port": 51923, - "user": { - "name": "*****" - }, - "ip": "10.10.1.212" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "605004", + "kind": "event", + "original": "Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", + "outcome": "failure", + "severity": 6, + "type": [ + "info", + "denied" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "https" }, "observer": { - "hostname": "dev01", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", "egress": { "interface": { "name": "FCD-FS-LAN" } - } - }, - "@timestamp": "2021-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { - "user": [ - "*****" - ], "hosts": [ "dev01" ], "ip": [ "10.10.1.212", "10.10.1.254" + ], + "user": [ + "*****" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.1.212", + "ip": "10.10.1.212", + "port": 51923, + "user": { + "name": "*****" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T02:03:03.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057653640Z", - "original": "Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", - "code": "605004", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "611102", + "kind": "event", + "original": "Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin", + "outcome": "failed", + "severity": 6, "type": [ - "info", - "denied" - ], - "outcome": "failure" + "info" + ] }, - "cisco": { - "asa": { - "destination_interface": "FCD-FS-LAN" + "host": { + "hostname": "dev01", + "user": { + "name": "admin" } - } - }, - { + }, + "log": { + "level": "informational" + }, "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "admin" - ], "hosts": [ "dev01" ], "ip": [ "10.10.0.87" + ], + "user": [ + "admin" ] }, - "log": { - "level": "informational" - }, - "host": { - "user": { - "name": "admin" - }, - "hostname": "dev01" - }, "source": { "address": "10.10.0.87", "ip": "10.10.0.87" }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T02:03:03.000Z", + "cisco": { + "asa": { + "destination_interface": "FCD-FS-LAN" + } + }, + "destination": { + "address": "10.10.1.254", + "ip": "10.10.1.254" + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057653993Z", - "original": "Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin", - "code": "611102", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "605005", + "kind": "event", + "original": "Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", + "outcome": "success", + "severity": 6, "type": [ - "info" - ], - "outcome": "failed" + "info", + "allowed" + ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "dev01" }, - "tags": [ - "preserve_original_event" - ] - }, - { "log": { "level": "informational" }, - "destination": { - "address": "10.10.1.254", - "ip": "10.10.1.254" - }, - "source": { - "address": "10.10.0.87", - "port": 6651, - "user": { - "name": "admin" - }, - "ip": "10.10.0.87" - }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "ssh" }, "observer": { - "hostname": "dev01", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", "egress": { "interface": { "name": "FCD-FS-LAN" } - } - }, - "@timestamp": "2021-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { - "user": [ - "admin" - ], "hosts": [ "dev01" ], "ip": [ "10.10.0.87", "10.10.1.254" + ], + "user": [ + "admin" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "10.10.0.87", + "ip": "10.10.0.87", + "port": 6651, + "user": { + "name": "admin" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T02:03:03.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057654354Z", - "original": "Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", - "code": "605005", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "611101", + "kind": "event", + "original": "Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin", + "outcome": "succeeded", + "severity": 6, "type": [ - "info", - "allowed" - ], - "outcome": "success" + "info" + ] }, - "cisco": { - "asa": { - "destination_interface": "FCD-FS-LAN" + "host": { + "hostname": "dev01", + "user": { + "name": "admin" } - } - }, - { + }, + "log": { + "level": "informational" + }, "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "admin" - ], "hosts": [ "dev01" ], "ip": [ "10.10.0.87" + ], + "user": [ + "admin" ] }, - "log": { - "level": "informational" - }, - "host": { - "user": { - "name": "admin" - }, - "hostname": "dev01" - }, "source": { "address": "10.10.0.87", "ip": "10.10.0.87" }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T02:03:03.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057654733Z", - "original": "Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin", - "code": "611101", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "713049", + "kind": "event", + "original": "Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 81.2.69.144, IP = 81.2.69.144, Security negotiation complete for LAN-to-LAN Group (81.2.69.144) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", + "severity": 5, "type": [ "info" - ], - "outcome": "succeeded" + ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "dev01" + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -4405,313 +4363,286 @@ "81.2.69.144" ] }, - "log": { - "level": "notification" - }, - "host": { - "hostname": "dev01" - }, "source": { + "address": "81.2.69.144", "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", "ip": "81.2.69.144" }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:13.057655087Z", - "original": "Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 81.2.69.144, IP = 81.2.69.144, Security negotiation complete for LAN-to-LAN Group (81.2.69.144) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", - "code": "713049", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] - }, - "cisco": { - "asa": {} - }, "tags": [ "preserve_original_event" ] }, { - "log": { - "level": "warning" + "@timestamp": "2022-04-27T02:03:03.000Z", + "cisco": { + "asa": {} }, "destination": { + "address": "81.2.69.144", + "bytes": 1216163, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "bytes": 1216163, "ip": "81.2.69.144" }, - "source": { - "user": { - "name": "81.2.69.144" - }, - "bytes": 297103 + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "113019", + "duration": 0, + "end": "2022-04-27T02:03:03.000Z", + "kind": "event", + "original": "Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 81.2.69.144, Username = 81.2.69.144, IP = 81.2.69.144, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", + "severity": 4, + "start": "2022-04-27T02:03:03.000Z", + "type": [ + "info" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "81.2.69.144" - ], "hosts": [ "dev01" ], "ip": [ "81.2.69.144" + ], + "user": [ + "81.2.69.144" ] }, - "host": { - "hostname": "dev01" + "source": { + "bytes": 297103, + "user": { + "name": "81.2.69.144" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T02:03:03.000Z", + "cisco": { + "asa": { + "assigned_ip": "192.168.50.5", + "webvpn": { + "group_name": "VPN5Policy" + } + } + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "duration": 0, - "ingested": "2021-12-14T14:36:13.057655452Z", - "original": "Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 81.2.69.144, Username = 81.2.69.144, IP = 81.2.69.144, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", - "code": "113019", - "kind": "event", - "start": "2021-04-27T02:03:03.000Z", "action": "firewall-rule", - "end": "2021-04-27T02:03:03.000Z", "category": [ "network" ], + "code": "722051", + "kind": "event", + "original": "Apr 27 02:03:03 dev01: %ASA-4-722051: Group \u003cVPN5Policy\u003e User \u003cjohn\u003e IP \u003c192.168.50.3\u003e IPv4 Address \u003c192.168.50.5\u003e IPv6 address \u003c::\u003e assigned to session", + "severity": 4, "type": [ "info" ] }, - "cisco": { - "asa": {} - } - }, - { + "host": { + "hostname": "dev01" + }, + "log": { + "level": "warning" + }, "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "john" - ], "hosts": [ "dev01" ], "ip": [ "192.168.50.3" + ], + "user": [ + "john" ] }, - "log": { - "level": "warning" - }, - "host": { - "hostname": "dev01" - }, "source": { + "address": "192.168.50.3", + "ip": "192.168.50.3", "user": { "name": "john" - }, - "address": "192.168.50.3", - "ip": "192.168.50.3" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T02:03:03.000Z", + "cisco": { + "asa": { + "webvpn": { + "group_name": "another-policy" + } + } + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:13.057655837Z", - "original": "Apr 27 02:03:03 dev01: %ASA-4-722051: Group \u003cVPN5Policy\u003e User \u003cjohn\u003e IP \u003c192.168.50.3\u003e IPv4 Address \u003c192.168.50.5\u003e IPv6 address \u003c::\u003e assigned to session", - "code": "722051", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "716002", + "kind": "event", + "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 81.2.69.144 WebVPN session terminated: User Requested.", + "reason": "User Requested", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "webvpn": { - "group_name": "VPN5Policy" - }, - "assigned_ip": "192.168.50.5" - } + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "testuser" - ], "hosts": [ "dev01" ], "ip": [ "81.2.69.144" + ], + "user": [ + "testuser" ] }, - "log": { - "level": "informational" - }, - "host": { - "hostname": "dev01" - }, "source": { + "address": "81.2.69.144", "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", + "ip": "81.2.69.144", "user": { "name": "testuser" - }, - "ip": "81.2.69.144" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-27T02:03:03.000Z", + "cisco": { + "asa": { + "webvpn": { + "group_name": "another-policy" + } + } + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "reason": "User Requested", - "ingested": "2021-12-14T14:36:13.057656196Z", - "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 81.2.69.144 WebVPN session terminated: User Requested.", - "code": "716002", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "716002", + "kind": "event", + "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout.", + "reason": "Idle timeout", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "webvpn": { - "group_name": "another-policy" - } - } + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "alice" - ], "hosts": [ "dev01" ], "ip": [ "192.168.50.1" + ], + "user": [ + "alice" ] }, - "log": { - "level": "informational" - }, - "host": { - "hostname": "dev01" - }, "source": { + "address": "192.168.50.1", + "ip": "192.168.50.1", "user": { "name": "alice" - }, - "address": "192.168.50.1", - "ip": "192.168.50.1" - }, - "event": { - "severity": 6, - "reason": "Idle timeout", - "ingested": "2021-12-14T14:36:13.057656555Z", - "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout.", - "code": "716002", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] - }, - "cisco": { - "asa": { - "webvpn": { - "group_name": "another-policy" - } } }, "tags": [ @@ -4719,138 +4650,55 @@ ] }, { - "log": { - "level": "error" + "@timestamp": "2022-04-27T02:03:03.000Z", + "cisco": { + "asa": { + "destination_interface": "outside" + } }, "destination": { - "port": 23, "address": "192.168.157.61", - "ip": "192.168.157.61" - }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", - "location": { - "lon": -0.0931, - "lat": 51.5142 - } - }, - "address": "81.2.69.144", - "port": 6370, - "ip": "81.2.69.144" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "6", - "transport": "tcp" - }, - "observer": { - "hostname": "dev01", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "ip": "192.168.157.61", + "port": 23 }, - "@timestamp": "2021-04-27T02:03:03.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "dev01" - ], - "ip": [ - "81.2.69.144", - "192.168.157.61" - ] - }, - "host": { - "hostname": "dev01" - }, "event": { - "severity": 3, - "ingested": "2021-12-14T14:36:13.057656978Z", - "original": "Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 81.2.69.144/6370 to outside:192.168.157.61/23", - "code": "710003", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "710003", + "kind": "event", + "original": "Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 81.2.69.144/6370 to outside:192.168.157.61/23", + "outcome": "failure", + "severity": 3, "type": [ "info", "denied" - ], - "outcome": "failure" - }, - "cisco": { - "asa": { - "destination_interface": "outside" - } - } - }, - { - "log": { - "level": "notification" - }, - "destination": { - "port": 123123, - "address": "192.168.2.2", - "ip": "192.168.2.2" + ] }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", - "location": { - "lon": -0.0931, - "lat": 51.5142 - } - }, - "address": "81.2.69.144", - "port": 8888, - "ip": "81.2.69.144" + "host": { + "hostname": "dev01" + }, + "log": { + "level": "error" }, - "tags": [ - "preserve_original_event" - ], "network": { - "protocol": "tcp" + "iana_number": "6", + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "sourceInterfaceName" + "name": "outside" } }, "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "destinationInterfaceName" - } - } - }, - "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -4858,86 +4706,85 @@ ], "ip": [ "81.2.69.144", - "192.168.2.2" + "192.168.157.61" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "81.2.69.144", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 6370 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-27T02:03:03.000Z", + "cisco": { + "asa": { + "destination_interface": "destinationInterfaceName", + "source_interface": "sourceInterfaceName" + } + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 123123 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:13.057657339Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/123123 locally", - "code": "434004", - "kind": "event", "action": "bypass", "category": [ "network" ], + "code": "434004", + "kind": "event", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/123123 locally", + "outcome": "unknown", + "severity": 5, "type": [ "info", "change" - ], - "outcome": "unknown" - }, - "cisco": { - "asa": { - "destination_interface": "destinationInterfaceName", - "source_interface": "sourceInterfaceName" - } - } - }, - { - "log": { - "level": "warning" + ] }, - "destination": { - "port": 514514, - "address": "192.168.2.2", - "ip": "192.168.2.2" + "host": { + "hostname": "dev01" }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", - "location": { - "lon": -0.0931, - "lat": 51.5142 - } - }, - "address": "81.2.69.144", - "port": 8888, - "ip": "81.2.69.144" + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "destinationInterfaceName" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "sourceInterfaceName" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "destinationInterfaceName" - } - } - }, - "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -4948,71 +4795,75 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" - }, - "event": { - "severity": 4, - "action": "drop", - "ingested": "2021-12-14T14:36:13.057657709Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/514514", - "code": "434002", - "outcome": "unknown" + "source": { + "address": "81.2.69.144", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 8888 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-27T02:03:03.000Z", "cisco": { "asa": { "destination_interface": "destinationInterfaceName", "source_interface": "sourceInterfaceName" } - } - }, - { - "log": { - "level": "informational" }, "destination": { - "port": 123412, "address": "192.168.2.2", - "ip": "192.168.2.2" + "ip": "192.168.2.2", + "port": 514514 }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", - "location": { - "lon": -0.0931, - "lat": 51.5142 - } - }, - "address": "81.2.69.144", - "port": 7777, - "ip": "81.2.69.144" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "drop", + "code": "434002", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/514514", + "outcome": "unknown", + "severity": 4 + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "destinationInterfaceName" + } + }, + "hostname": "dev01", "ingress": { "interface": { "name": "sourceInterfaceName" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -5022,83 +4873,77 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "81.2.69.144", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 8888 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-27T02:03:03.000Z", + "cisco": { + "asa": { + "source_interface": "sourceInterfaceName" + } + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 123412 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "reason": "Failed to locate egress interface", - "ingested": "2021-12-14T14:36:13.057658068Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:81.2.69.144/7777 to 192.168.2.2/123412", - "code": "110002", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "110002", + "kind": "event", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:81.2.69.144/7777 to 192.168.2.2/123412", + "outcome": "failure", + "reason": "Failed to locate egress interface", + "severity": 6, "type": [ "info", "denied" - ], - "outcome": "failure" - }, - "cisco": { - "asa": { - "source_interface": "sourceInterfaceName" - } - } - }, - { - "log": { - "level": "warning" - }, - "destination": { - "port": 514514, - "address": "192.168.2.2", - "ip": "192.168.2.2" + ] }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", - "location": { - "lon": -0.0931, - "lat": 51.5142 - } - }, - "address": "81.2.69.144", - "port": 7777, - "ip": "81.2.69.144" + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "tcp" }, "observer": { + "hostname": "dev01", "ingress": { "interface": { "name": "sourceInterfaceName" } }, - "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "destinationInterfaceName" - } - } - }, - "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -5109,77 +4954,83 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "81.2.69.144", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 7777 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-27T02:03:03.000Z", + "cisco": { + "asa": { + "destination_interface": "destinationInterfaceName", + "source_interface": "sourceInterfaceName" + } + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 514514 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "reason": "Duplicate TCP SYN with different initial sequence number", - "ingested": "2021-12-14T14:36:13.057658422Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:81.2.69.144/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number", - "code": "419002", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "419002", + "kind": "event", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:81.2.69.144/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number", + "reason": "Duplicate TCP SYN with different initial sequence number", + "severity": 4, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "destinationInterfaceName", - "source_interface": "sourceInterfaceName" - } - } - }, - { - "log": { - "level": "informational" - }, - "destination": { - "address": "192.168.2.2", - "ip": "192.168.2.2" + "host": { + "hostname": "dev01" }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", - "location": { - "lon": -0.0931, - "lat": 51.5142 - } - }, - "address": "81.2.69.144", - "ip": "81.2.69.144" + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { - "type": "ipsec", - "inner": "LAN-to-LAN", - "direction": "outbound" + "protocol": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "destinationInterfaceName" + } + }, "hostname": "dev01", + "ingress": { + "interface": { + "name": "sourceInterfaceName" + } + }, "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "admin" - ], "hosts": [ "dev01" ], @@ -5188,55 +5039,56 @@ "192.168.2.2" ] }, - "host": { - "hostname": "dev01" - }, - "event": { - "severity": 6, - "action": "created", - "ingested": "2021-12-14T14:36:13.057658891Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been created.", - "code": "602303", - "outcome": "success" - }, - "user": { - "name": "admin" - }, - "cisco": { - "asa": {} - } - }, - { - "log": { - "level": "informational" - }, - "destination": { - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, "source": { + "address": "81.2.69.144", "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "ip": "81.2.69.144" + "ip": "81.2.69.144", + "port": 7777 }, "tags": [ "preserve_original_event" - ], + ] + }, + { + "@timestamp": "2020-04-27T02:03:03.000Z", + "cisco": { + "asa": {} + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "created", + "code": "602303", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been created.", + "outcome": "success", + "severity": 6 + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" + }, "network": { - "type": "ipsec", + "direction": "outbound", "inner": "LAN-to-LAN", - "direction": "outbound" + "type": "ipsec" }, "observer": { "hostname": "dev01", @@ -5244,214 +5096,310 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "admin" - ], "hosts": [ "dev01" ], "ip": [ "81.2.69.144", "192.168.2.2" + ], + "user": [ + "admin" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "81.2.69.144", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2020-04-27T02:03:03.000Z", + "cisco": { + "asa": {} + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057659247Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been deleted.", - "code": "602304", - "kind": "event", "action": "deleted", "category": [ "network" ], + "code": "602304", + "kind": "event", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been deleted.", + "outcome": "success", + "severity": 6, "type": [ "info", "deletion", "user", "allowed" - ], - "outcome": "success" + ] }, - "user": { - "name": "admin" + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": {} - } - }, - { "log": { - "level": "notification" + "level": "informational" }, - "destination": { - "port": 7777, - "address": "192.168.2.2", - "ip": "192.168.2.2" + "network": { + "direction": "outbound", + "inner": "LAN-to-LAN", + "type": "ipsec" + }, + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "81.2.69.144", + "192.168.2.2" + ], + "user": [ + "admin" + ] }, "source": { + "address": "81.2.69.144", "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 7777, "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" ], - "observer": { - "hostname": "dev01", - "product": "asa", - "type": "firewall", - "vendor": "Cisco" - }, + "user": { + "name": "admin" + } + }, + { "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" + "cisco": { + "asa": {} }, - "related": { - "user": [ - "admin" - ], - "hosts": [ - "dev01" - ], - "ip": [ - "81.2.69.144", - "192.168.2.2" - ] + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 7777 }, - "host": { - "hostname": "dev01" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 5, - "reason": "Received a IKE_INIT_SA request", - "ingested": "2021-12-14T14:36:13.057659621Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request", - "code": "750002", - "kind": "event", "action": "connection-started", "category": [ "network" ], + "code": "750002", + "kind": "event", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request", + "reason": "Received a IKE_INIT_SA request", + "severity": 5, "type": [ "connection", "start" ] }, - "user": { - "name": "admin" + "host": { + "hostname": "dev01" }, - "cisco": { - "asa": {} - } - }, - { "log": { - "level": "warning" + "level": "notification" }, - "destination": { - "port": 7777, - "address": "192.168.2.2", - "ip": "192.168.2.2" + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "81.2.69.144", + "192.168.2.2" + ], + "user": [ + "admin" + ] }, "source": { + "address": "81.2.69.144", "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 7777, - "ip": "81.2.69.144" + "ip": "81.2.69.144", + "port": 7777 }, "tags": [ "preserve_original_event" ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2020-04-27T02:03:03.000Z", + "cisco": { + "asa": {} + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2", + "port": 7777 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "error", + "category": [ + "network" + ], + "code": "750003", + "kind": "event", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database", + "reason": "Negotiation aborted due to Failed to locate an item in the database", + "severity": 4, + "type": [ + "error" + ] + }, + "host": { + "hostname": "dev01" + }, + "log": { + "level": "warning" + }, "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "admin" - ], "hosts": [ "dev01" ], "ip": [ "81.2.69.144", "192.168.2.2" + ], + "user": [ + "admin" ] }, - "host": { - "hostname": "dev01" + "source": { + "address": "81.2.69.144", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 7777 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2020-04-27T02:03:03.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "reason": "Negotiation aborted due to Failed to locate an item in the database", - "ingested": "2021-12-14T14:36:13.057659977Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database", - "code": "750003", - "kind": "event", - "action": "error", - "type": [ - "error" - ], + "action": "firewall-rule", "category": [ "network" + ], + "code": "713120", + "id": "bbe383e88", + "kind": "event", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.168.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)", + "outcome": "success", + "reason": "PHASE 2 COMPLETED", + "severity": 5, + "type": [ + "info", + "allowed" ] }, - "user": { - "name": "admin" + "host": { + "hostname": "dev01" + }, + "log": { + "level": "notification" }, - "cisco": { - "asa": {} - } - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -5460,52 +5408,48 @@ "192.168.1.1" ] }, - "log": { - "level": "notification" - }, - "host": { - "hostname": "dev01" - }, "source": { "address": "192.168.1.1", "ip": "192.168.1.1" }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-27T02:03:03.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 5, - "reason": "PHASE 2 COMPLETED", - "ingested": "2021-12-14T14:36:13.057660341Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.168.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)", - "code": "713120", - "kind": "event", "action": "firewall-rule", - "id": "bbe383e88", "category": [ "network" ], + "code": "713202", + "kind": "event", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.168.157.61, Duplicate first packet detected. Ignoring packet.", + "reason": "Duplicate first packet detected", + "severity": 5, "type": [ - "info", - "allowed" - ], - "outcome": "success" + "info" + ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "dev01" + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -5514,49 +5458,50 @@ "192.168.157.61" ] }, - "log": { - "level": "notification" + "source": { + "address": "192.168.157.61", + "ip": "192.168.157.61" }, - "host": { - "hostname": "dev01" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-27T02:03:03.000Z", + "cisco": { + "asa": {} }, - "source": { - "address": "192.168.157.61", - "ip": "192.168.157.61" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 5, - "reason": "Duplicate first packet detected", - "ingested": "2021-12-14T14:36:13.057660704Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.168.157.61, Duplicate first packet detected. Ignoring packet.", - "code": "713202", - "kind": "event", - "action": "firewall-rule", + "action": "error", "category": [ "network" ], + "code": "713905", + "kind": "event", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", + "outcome": "failure", + "reason": "All IPSec SA proposals found unacceptable!", + "severity": 6, "type": [ - "info" + "error", + "denied" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -5565,186 +5510,182 @@ "192.168.1.1" ] }, - "log": { - "level": "informational" - }, - "host": { - "hostname": "dev01" - }, "source": { "address": "192.168.1.1", "ip": "192.168.1.1" }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-27T02:03:03.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-12-14T14:36:13.057661066Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", - "code": "713905", - "kind": "event", "action": "error", - "type": [ - "error", - "denied" - ], "category": [ "network" ], - "outcome": "failure" + "code": "713904", + "kind": "event", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable!", + "outcome": "failure", + "reason": "All IPSec SA proposals found unacceptable!", + "severity": 6, + "type": [ + "error", + "denied" + ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-27T02:03:03.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "dev01" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-12-14T14:36:13.057661421Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable!", - "code": "713904", - "kind": "event", - "action": "error", - "type": [ - "error", - "denied" - ], + "action": "firewall-rule", "category": [ "network" ], - "outcome": "failure" + "code": "713903", + "kind": "event", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", + "severity": 6, + "type": [ + "info" + ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-27T02:03:03.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "dev01" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:13.057661767Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", - "code": "713903", - "kind": "event", - "action": "firewall-rule", + "action": "error", "category": [ "network" ], + "code": "713902", + "kind": "event", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!", + "outcome": "failure", + "reason": "All IPSec SA proposals found unacceptable!", + "severity": 6, "type": [ - "info" + "error", + "denied" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-27T02:03:03.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "dev01" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-12-14T14:36:13.057662122Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!", - "code": "713902", - "kind": "event", "action": "error", - "type": [ - "error", - "denied" - ], "category": [ "network" ], - "outcome": "failure" + "code": "713901", + "kind": "event", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", + "outcome": "failure", + "reason": "All IPSec SA proposals found unacceptable!", + "severity": 6, + "type": [ + "error", + "denied" + ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "dev01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "dev01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-04-27T02:03:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "dev01" @@ -5753,36 +5694,10 @@ "192.168.1.1" ] }, - "log": { - "level": "informational" - }, - "host": { - "hostname": "dev01" - }, "source": { "address": "192.168.1.1", "ip": "192.168.1.1" }, - "event": { - "severity": 6, - "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-12-14T14:36:13.057662478Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", - "code": "713901", - "kind": "event", - "action": "error", - "type": [ - "error", - "denied" - ], - "category": [ - "network" - ], - "outcome": "failure" - }, - "cisco": { - "asa": {} - }, "tags": [ "preserve_original_event" ] diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json index 941db57a52e..09f988c3f0c 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -1,46 +1,67 @@ { "expected": [ { - "log": { - "level": "informational" + "@timestamp": "2020-04-17T14:08:08.000Z", + "cisco": { + "asa": { + "connection_id": "110577675", + "destination_interface": "Inside", + "source_interface": "Outside", + "source_username": "(LOCAL\\Elastic)", + "termination_user": "zzzzzz" + } }, "destination": { - "port": 53, "address": "10.233.123.123", - "ip": "10.233.123.123" + "ip": "10.233.123.123", + "port": 53 }, - "source": { - "port": 53723, - "address": "10.123.123.123", - "ip": "10.123.123.123" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302016", + "duration": 0, + "end": "2020-04-17T14:08:08.000Z", + "kind": "event", + "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", + "severity": 6, + "start": "2020-04-17T14:08:08.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "SNL-ASA-VPN-A01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 148, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "Inside" + } + }, + "hostname": "SNL-ASA-VPN-A01", "ingress": { "interface": { "name": "Outside" } }, - "hostname": "SNL-ASA-VPN-A01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "Inside" - } - } - }, - "@timestamp": "2020-04-17T14:08:08.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -51,75 +72,71 @@ "10.233.123.123" ] }, - "host": { - "hostname": "SNL-ASA-VPN-A01" + "source": { + "address": "10.123.123.123", + "ip": "10.123.123.123", + "port": 53723 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-17T14:00:31.000Z", + "cisco": { + "asa": { + "destination_interface": "Outside", + "rule_name": "Inside_access_in", + "source_interface": "Inside" + } + }, + "destination": { + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:22.161214817Z", - "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", - "code": "302016", - "kind": "event", - "start": "2020-04-17T14:08:08.000Z", - "action": "flow-expiration", - "end": "2020-04-17T14:08:08.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ - "connection", - "end" + "info", + "denied" ] }, - "cisco": { - "asa": { - "source_username": "(LOCAL\\Elastic)", - "destination_interface": "Inside", - "termination_user": "zzzzzz", - "connection_id": "110577675", - "source_interface": "Outside" - } - } - }, - { + "host": { + "hostname": "SNL-ASA-VPN-A01" + }, "log": { "level": "warning" }, - "destination": { - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "source": { - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Outside" + } + }, + "hostname": "SNL-ASA-VPN-A01", "ingress": { "interface": { "name": "Inside" } }, - "hostname": "SNL-ASA-VPN-A01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "Outside" - } - } - }, - "@timestamp": "2020-04-17T14:00:31.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -129,55 +146,59 @@ "10.123.123.123" ] }, - "host": { - "hostname": "SNL-ASA-VPN-A01" + "source": { + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-15T09:36:50.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "rule_name": "acl_dmz", + "source_interface": "dmz" + } + }, + "destination": { + "address": "10.123.123.123", + "ip": "10.123.123.123", + "port": 53 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:22.161217172Z", - "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "Outside", - "rule_name": "Inside_access_in", - "source_interface": "Inside" - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "port": 53, - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "source": { - "port": 6316, - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "dmz" @@ -185,86 +206,80 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-15T09:36:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ "10.123.123.123" ] }, + "source": { + "address": "10.123.123.123", + "ip": "10.123.123.123", + "port": 6316 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-17T14:16:20.000Z", + "cisco": { + "asa": { + "destination_interface": "Outside", + "rule_name": "Inside_access_in", + "source_interface": "Inside", + "source_username": "(LOCAL\\Elastic)" + } + }, + "destination": { + "address": "10.123.123.123", + "ip": "10.123.123.123", + "port": 57621 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:22.161217584Z", - "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "SNL-ASA-VPN-A01" }, - "cisco": { - "asa": { - "destination_interface": "outside", - "rule_name": "acl_dmz", - "source_interface": "dmz" - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "port": 57621, - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "source": { - "port": 57621, - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "Outside" + } + }, + "hostname": "SNL-ASA-VPN-A01", "ingress": { "interface": { "name": "Inside" } }, - "hostname": "SNL-ASA-VPN-A01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "Outside" - } - } - }, - "@timestamp": "2020-04-17T14:16:20.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -274,59 +289,54 @@ "10.123.123.123" ] }, - "host": { - "hostname": "SNL-ASA-VPN-A01" + "source": { + "address": "10.123.123.123", + "ip": "10.123.123.123", + "port": 57621 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-17T14:15:07.000Z", + "cisco": { + "asa": {} + }, + "destination": { + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:22.161220778Z", - "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106017", + "kind": "event", + "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "SNL-ASA-VPN-A01" }, - "cisco": { - "asa": { - "source_username": "(LOCAL\\Elastic)", - "destination_interface": "Outside", - "rule_name": "Inside_access_in", - "source_interface": "Inside" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "source": { - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "SNL-ASA-VPN-A01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-04-17T14:15:07.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "SNL-ASA-VPN-A01" @@ -335,59 +345,62 @@ "10.123.123.123" ] }, - "host": { - "hostname": "SNL-ASA-VPN-A01" + "source": { + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-17T14:15:07.000Z", + "cisco": { + "asa": { + "icmp_code": 0, + "icmp_type": 134, + "source_interface": "ISP1" + } + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:22.161221227Z", - "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", - "code": "106017", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "313008", + "kind": "event", + "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", + "outcome": "failure", + "severity": 3, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "SNL-ASA-VPN-A01" }, - "cisco": { - "asa": {} - } - }, - { "log": { "level": "error" }, - "source": { - "address": "fe80::1ff:fe23:4567:890a", - "ip": "fe80::1ff:fe23:4567:890a" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "58", "transport": "ipv6-icmp" }, "observer": { + "hostname": "SNL-ASA-VPN-A01", "ingress": { "interface": { "name": "ISP1" } }, - "hostname": "SNL-ASA-VPN-A01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-04-17T14:15:07.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "SNL-ASA-VPN-A01" @@ -396,55 +409,63 @@ "fe80::1ff:fe23:4567:890a" ] }, - "host": { - "hostname": "SNL-ASA-VPN-A01" + "source": { + "address": "fe80::1ff:fe23:4567:890a", + "ip": "fe80::1ff:fe23:4567:890a" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-06-08T12:59:57.000Z", + "cisco": { + "asa": { + "destination_interface": "identity", + "icmp_code": 9, + "mapped_destination_ip": "10.12.31.51", + "mapped_destination_port": 0, + "mapped_source_ip": "10.255.0.206", + "mapped_source_port": 8795, + "source_interface": "Inside" + } + }, + "destination": { + "address": "10.12.31.51", + "ip": "10.12.31.51", + "port": 0 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 3, - "ingested": "2021-12-14T14:36:22.161221587Z", - "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", - "code": "313008", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "313009", + "kind": "event", + "original": "Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "icmp_type": 134, - "source_interface": "ISP1", - "icmp_code": 0 - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "port": 0, - "address": "10.12.31.51", - "ip": "10.12.31.51" - }, - "source": { - "port": 8795, - "address": "10.255.0.206", - "ip": "10.255.0.206" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "identity" + } + }, "ingress": { "interface": { "name": "Inside" @@ -452,16 +473,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "identity" - } - } - }, - "@timestamp": "2020-06-08T12:59:57.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -469,56 +481,60 @@ "10.12.31.51" ] }, + "source": { + "address": "10.255.0.206", + "ip": "10.255.0.206", + "port": 8795 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2019-10-20T15:42:53.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "incoming", + "source_interface": "dmz2" + } + }, + "destination": { + "address": "127.3.4.5", + "ip": "127.3.4.5", + "port": 53 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:22.161221960Z", - "original": "Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", - "code": "313009", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", + "outcome": "success", + "severity": 6, "type": [ "info", - "denied" - ], - "outcome": "failure" + "allowed" + ] }, - "cisco": { - "asa": { - "destination_interface": "identity", - "mapped_source_port": 8795, - "mapped_destination_ip": "10.12.31.51", - "mapped_source_ip": "10.255.0.206", - "source_interface": "Inside", - "mapped_destination_port": 0, - "icmp_code": 9 - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 53, - "address": "127.3.4.5", - "ip": "127.3.4.5" - }, - "source": { - "port": 56575, - "address": "127.2.3.4", - "ip": "127.2.3.4" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, "ingress": { "interface": { "name": "dmz2" @@ -526,16 +542,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2019-10-20T15:42:53.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -543,52 +550,60 @@ "127.3.4.5" ] }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:22.161222339Z", - "original": "Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "127.2.3.4", + "ip": "127.2.3.4", + "port": 56575 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2019-10-20T15:42:54.000Z", "cisco": { "asa": { "destination_interface": "inside", "rule_name": "incoming", "source_interface": "dmz2" } - } - }, - { - "log": { - "level": "informational" }, "destination": { - "port": 53, "address": "127.3.4.5", - "ip": "127.3.4.5" + "ip": "127.3.4.5", + "port": 53 }, - "source": { - "port": 56575, - "address": "127.2.3.4", - "ip": "127.2.3.4" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", + "outcome": "success", + "severity": 6, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, "ingress": { "interface": { "name": "dmz2" @@ -596,16 +611,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2019-10-20T15:42:54.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -613,52 +619,61 @@ "127.3.4.5" ] }, + "source": { + "address": "127.2.3.4", + "ip": "127.2.3.4", + "port": 56575 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-08-06T11:01:37.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "dev_inward_client", + "source_interface": "outside", + "suffix": "session" + } + }, + "destination": { + "address": "10.223.223.40", + "ip": "10.223.223.40", + "port": 53 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:22.161222691Z", - "original": "Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106102", + "kind": "event", + "original": "Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -\u003e inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", + "outcome": "success", + "severity": 3, "type": [ "info", "allowed" - ], - "outcome": "success" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "incoming", - "source_interface": "dmz2" - } - } - }, - { "log": { "level": "error" }, - "destination": { - "port": 53, - "address": "10.223.223.40", - "ip": "10.223.223.40" - }, - "source": { - "port": 49721, - "address": "10.123.123.20", - "ip": "10.123.123.20" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, "ingress": { "interface": { "name": "outside" @@ -666,88 +681,86 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2020-08-06T11:01:37.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "redacted" - ], "ip": [ "10.123.123.20", "10.223.223.40" + ], + "user": [ + "redacted" ] }, - "event": { - "severity": 3, - "ingested": "2021-12-14T14:36:22.161223047Z", - "original": "Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -\u003e inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", - "code": "106102", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.123.123.20", + "ip": "10.123.123.20", + "port": 49721 }, + "tags": [ + "preserve_original_event" + ], "user": { "name": "redacted" - }, - "cisco": { - "asa": { - "destination_interface": "inside", - "suffix": "session", - "rule_name": "dev_inward_client", - "source_interface": "outside" - } } }, { - "log": { - "level": "alert" + "@timestamp": "2020-08-06T11:01:38.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "rule_name": "filter", + "source_interface": "inside" + } }, "destination": { + "address": "81.2.69.144", "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 8080, - "ip": "81.2.69.144" + "ip": "81.2.69.144", + "port": 8080 }, - "source": { - "port": 64321, - "address": "10.1.2.3", - "ip": "10.1.2.3" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106103", + "kind": "event", + "original": "Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -\u003e outside/81.2.69.144(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", + "outcome": "failure", + "severity": 1, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "alert" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -755,51 +768,27 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2020-08-06T11:01:38.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "joe" - ], "ip": [ "10.1.2.3", "81.2.69.144" + ], + "user": [ + "joe" ] }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:36:22.161223419Z", - "original": "Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -\u003e outside/81.2.69.144(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", - "code": "106103", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "10.1.2.3", + "ip": "10.1.2.3", + "port": 64321 }, + "tags": [ + "preserve_original_event" + ], "user": { "name": "joe" - }, - "cisco": { - "asa": { - "destination_interface": "outside", - "rule_name": "filter", - "source_interface": "inside" - } } } ] diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json index 69bb9b5d45e..fc378538b29 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json @@ -1,49 +1,63 @@ { "expected": [ { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } }, "destination": { - "port": 8256, "address": "192.168.98.44", - "ip": "192.168.98.44" + "ip": "192.168.98.44", + "port": 8256 }, - "source": { - "port": 1772, - "address": "172.31.98.44", - "ip": "172.31.98.44" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -54,75 +68,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1772 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11757", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1772, + "mapped_source_ip": "192.168.205.104", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1772 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392237546Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1772, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.205.104", - "ip": "192.168.205.104" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -133,80 +151,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.205.104", + "ip": "192.168.205.104", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11749", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1758 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392242512Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 67000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:49.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.205.104", - "connection_id": "11757", - "source_interface": "outside", - "mapped_destination_port": 1772 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1758, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.211.242", - "ip": "192.168.211.242" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 38110, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -217,81 +235,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "duration": 67000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392243229Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:49.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "192.168.211.242", + "ip": "192.168.211.242", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { + "connection_id": "11748", "destination_interface": "inside", - "connection_id": "11749", "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 1757, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 1757 }, - "source": { - "port": 80, - "address": "192.168.211.242", - "ip": "192.168.211.242" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302014", + "duration": 67000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:49.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 44010, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -302,81 +319,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.211.242", + "ip": "192.168.211.242", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11745", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1755 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 67000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392243621Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:49.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 67000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:49.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11748", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1755, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.185.90", - "ip": "192.168.185.90" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 7652, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -387,81 +403,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.185.90", + "ip": "192.168.185.90", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11744", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1754 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 67000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392244026Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:49.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 67000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:49.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11745", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1754, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.185.90", - "ip": "192.168.185.90" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 7062, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -472,81 +487,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.185.90", + "ip": "192.168.185.90", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11742", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1752 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 67000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392244408Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:49.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 68000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:48.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11744", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1752, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.160.197", - "ip": "192.168.160.197" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 5738, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -557,81 +571,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.160.197", + "ip": "192.168.160.197", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11738", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1749 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 68000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392244805Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:48.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 68000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:48.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11742", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1749, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.205.14", - "ip": "192.168.205.14" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 4176, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -642,81 +655,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.205.14", + "ip": "192.168.205.14", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11739", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1750 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 68000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392245262Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:48.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 68000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:48.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11738", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1750, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.33", - "ip": "192.168.124.33" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 1715, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -727,81 +739,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.33", + "ip": "192.168.124.33", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11731", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1747 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 68000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392245669Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:48.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 69000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:47.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11739", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1747, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.35.9", - "ip": "192.168.35.9" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 45595, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -812,81 +823,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.35.9", + "ip": "192.168.35.9", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11723", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1742 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 69000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392246064Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:47.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 69000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:47.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11731", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1742, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.211.242", - "ip": "192.168.211.242" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 27359, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -897,81 +907,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.211.242", + "ip": "192.168.211.242", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11715", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1741 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 69000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392246470Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:47.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 69000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:47.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11723", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1741, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.218.21", - "ip": "192.168.218.21" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 4457, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -982,81 +991,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.218.21", + "ip": "192.168.218.21", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11711", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1739 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 69000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392247074Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:47.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 69000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:47.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11715", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1739, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.198.27", - "ip": "192.168.198.27" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 26709, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1067,81 +1075,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.198.27", + "ip": "192.168.198.27", + "port": 80 }, - "event": { - "severity": 6, - "duration": 69000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392247468Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:47.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11712", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1740 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 69000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:47.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11711", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1740, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.198.27", - "ip": "192.168.198.27" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 22097, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1152,81 +1159,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.198.27", + "ip": "192.168.198.27", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11708", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1738 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 69000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392248018Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:47.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 70000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:46.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11712", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1738, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.202.211", - "ip": "192.168.202.211" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 2209, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1237,81 +1243,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.202.211", + "ip": "192.168.202.211", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11746", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1756 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 70000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392248420Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:46.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 67000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:49.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11708", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1756, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.15", - "ip": "192.168.124.15" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 10404, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1322,81 +1327,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "duration": 67000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392248807Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:49.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "192.168.124.15", + "ip": "192.168.124.15", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { + "connection_id": "11706", "destination_interface": "inside", - "connection_id": "11746", "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 1737, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 1737 }, - "source": { - "port": 80, - "address": "192.168.124.15", - "ip": "192.168.124.15" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302014", + "duration": 70000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:46.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 123694, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1407,81 +1411,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.15", + "ip": "192.168.124.15", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11702", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1736 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 70000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392249323Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:46.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 71000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:45.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11706", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1736, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.209.247", - "ip": "192.168.209.247" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 35835, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1492,81 +1495,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.209.247", + "ip": "192.168.209.247", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11753", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1765 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 71000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392249716Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:45.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 30000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", + "reason": "SYN Timeout", + "severity": 6, + "start": "2018-10-10T12:34:26.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11702", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1765, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.35.162", - "ip": "192.168.35.162" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 0, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1577,80 +1579,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.35.162", + "ip": "192.168.35.162", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 1188 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 30000000000, - "reason": "SYN Timeout", - "ingested": "2021-12-14T14:36:23.392250189Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:26.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11753", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1188, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1661,75 +1656,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11758", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.80.32", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392250602Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.80.32", - "ip": "192.168.80.32" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1740,80 +1739,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.80.32", + "ip": "192.168.80.32", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11758", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392251094Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.80.32", - "connection_id": "11758", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.80.32", - "ip": "192.168.80.32" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 148, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1824,80 +1822,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.80.32", + "ip": "192.168.80.32", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11759", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.252.6", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392251480Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11758", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.252.6", - "ip": "192.168.252.6" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "network": { + "direction": "outbound", + "iana_number": "17", + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1908,80 +1905,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.252.6", + "ip": "192.168.252.6", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11759", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392251904Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.252.6", - "connection_id": "11759", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.252.6", - "ip": "192.168.252.6" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 164, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1992,79 +1988,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.252.6", + "ip": "192.168.252.6", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8257 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392252406Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11759", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8257, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1773, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2075,75 +2065,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1773 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11760", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1773, + "mapped_source_ip": "192.168.252.226", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1773 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392252794Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1773, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.252.226", - "ip": "192.168.252.226" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2154,79 +2148,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.252.226", + "ip": "192.168.252.226", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8258 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392253186Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.252.226", - "connection_id": "11760", - "source_interface": "outside", - "mapped_destination_port": 1773 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8258, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1774, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2237,75 +2225,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1774 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11761", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1774, + "mapped_source_ip": "192.168.252.226", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1774 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392253672Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1774, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.252.226", - "ip": "192.168.252.226" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2316,80 +2308,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.252.226", + "ip": "192.168.252.226", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11762", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.238.126", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392254085Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.252.226", - "connection_id": "11761", - "source_interface": "outside", - "mapped_destination_port": 1774 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.238.126", - "ip": "192.168.238.126" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2400,80 +2391,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392254568Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.238.126", + "ip": "192.168.238.126", + "port": 53 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { + "connection_id": "11763", "destination_interface": "inside", - "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.238.126", - "connection_id": "11762", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.93.51", + "mapped_source_port": 53, + "source_interface": "outside" + } }, "destination": { - "port": 56132, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 56132 }, - "source": { - "port": 53, - "address": "192.168.93.51", - "ip": "192.168.93.51" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2484,80 +2474,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.93.51", + "ip": "192.168.93.51", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11762", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392254955Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.93.51", - "connection_id": "11763", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.238.126", - "ip": "192.168.238.126" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 111, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2568,80 +2557,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.238.126", + "ip": "192.168.238.126", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11763", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392255340Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11762", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.93.51", - "ip": "192.168.93.51" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 237, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2652,79 +2640,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392255785Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "192.168.93.51", + "ip": "192.168.93.51", + "port": 53 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { - "destination_interface": "inside", - "connection_id": "11763", - "source_interface": "outside" + "destination_interface": "outside", + "source_interface": "inside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 8259, "address": "192.168.98.44", - "ip": "192.168.98.44" + "ip": "192.168.98.44", + "port": 8259 }, - "source": { - "port": 1775, - "address": "172.31.98.44", - "ip": "172.31.98.44" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2735,75 +2717,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1775 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11764", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1775, + "mapped_source_ip": "192.168.225.103", + "mapped_source_port": 443, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1775 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392256223Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1775, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 443, - "address": "192.168.225.103", - "ip": "192.168.225.103" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2814,79 +2800,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.225.103", + "ip": "192.168.225.103", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 1189 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392256604Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 443, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.225.103", - "connection_id": "11764", - "source_interface": "outside", - "mapped_destination_port": 1775 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1189, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2897,75 +2877,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11772", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.240.126", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392257106Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.240.126", - "ip": "192.168.240.126" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2976,80 +2960,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.240.126", + "ip": "192.168.240.126", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11773", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.44.45", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392257504Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.240.126", - "connection_id": "11772", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.44.45", - "ip": "192.168.44.45" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3060,80 +3043,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.44.45", + "ip": "192.168.44.45", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11772", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392257899Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.44.45", - "connection_id": "11773", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.240.126", - "ip": "192.168.240.126" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 87, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3144,80 +3126,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.240.126", + "ip": "192.168.240.126", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11773", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392258410Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11772", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.44.45", - "ip": "192.168.44.45" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 221, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3228,79 +3209,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392258869Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "192.168.44.45", + "ip": "192.168.44.45", + "port": 53 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { - "destination_interface": "inside", - "connection_id": "11773", - "source_interface": "outside" + "destination_interface": "outside", + "source_interface": "inside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 8265, "address": "192.168.98.44", - "ip": "192.168.98.44" + "ip": "192.168.98.44", + "port": 8265 }, - "source": { - "port": 1452, - "address": "172.31.98.44", - "ip": "172.31.98.44" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3311,75 +3286,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1452 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11774", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1452, + "mapped_source_ip": "192.168.179.219", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1452 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392259266Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1452, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.179.219", - "ip": "192.168.179.219" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3390,80 +3369,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.179.219", + "ip": "192.168.179.219", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11775", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.157.232", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392259657Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.179.219", - "connection_id": "11774", - "source_interface": "outside", - "mapped_destination_port": 1452 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.157.232", - "ip": "192.168.157.232" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3474,80 +3452,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.157.232", + "ip": "192.168.157.232", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11776", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.178.133", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392260044Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.157.232", - "connection_id": "11775", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.178.133", - "ip": "192.168.178.133" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3558,80 +3535,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.178.133", + "ip": "192.168.178.133", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11775", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392260435Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.178.133", - "connection_id": "11776", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.157.232", - "ip": "192.168.157.232" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 101, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3642,80 +3618,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.157.232", + "ip": "192.168.157.232", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11776", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392262447Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11775", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.178.133", - "ip": "192.168.178.133" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 126, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3726,79 +3701,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.178.133", + "ip": "192.168.178.133", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8266 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392262943Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11776", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8266, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1453, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "6", - "transport": "tcp" + "network": { + "iana_number": "6", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3809,75 +3778,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1453 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11777", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1453, + "mapped_source_ip": "192.168.133.112", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1453 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392263331Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1453, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.133.112", - "ip": "192.168.133.112" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3888,80 +3861,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.133.112", + "ip": "192.168.133.112", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11777", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1453 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392263722Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.133.112", - "connection_id": "11777", - "source_interface": "outside", - "mapped_destination_port": 1453 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1453, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.133.112", - "ip": "192.168.133.112" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 862, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3972,81 +3945,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.133.112", + "ip": "192.168.133.112", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11779", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.204.197", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392264102Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11777", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.204.197", - "ip": "192.168.204.197" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4057,80 +4028,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.204.197", + "ip": "192.168.204.197", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11778", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392264580Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.204.197", - "connection_id": "11779", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.157.232", - "ip": "192.168.157.232" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 104, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4141,80 +4111,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.157.232", + "ip": "192.168.157.232", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11779", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392265013Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11778", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.204.197", - "ip": "192.168.204.197" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 176, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4225,79 +4194,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.204.197", + "ip": "192.168.204.197", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8267 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392265531Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11779", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8267, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1454, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4308,75 +4271,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1454 }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392265915Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267", - "code": "305011", - "kind": "event", + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11780", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1454, + "mapped_source_ip": "192.168.128.3", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1454 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1454, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.128.3", - "ip": "192.168.128.3" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4387,79 +4354,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.128.3", + "ip": "192.168.128.3", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8268 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392266300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.128.3", - "connection_id": "11780", - "source_interface": "outside", - "mapped_destination_port": 1454 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8268, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1455, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4470,75 +4431,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1455 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11781", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1455, + "mapped_source_ip": "192.168.128.3", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1455 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392266749Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1455, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.128.3", - "ip": "192.168.128.3" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4549,79 +4514,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.128.3", + "ip": "192.168.128.3", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8269 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392267189Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.128.3", - "connection_id": "11781", - "source_interface": "outside", - "mapped_destination_port": 1455 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8269, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1456, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4632,75 +4591,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1456 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11782", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1456, + "mapped_source_ip": "192.168.128.3", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1456 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392267571Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1456, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.128.3", - "ip": "192.168.128.3" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4711,80 +4674,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.128.3", + "ip": "192.168.128.3", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11783", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.100.4", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392267957Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.128.3", - "connection_id": "11782", - "source_interface": "outside", - "mapped_destination_port": 1456 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.100.4", - "ip": "192.168.100.4" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4795,80 +4757,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.100.4", + "ip": "192.168.100.4", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11783", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392268339Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.100.4", - "connection_id": "11783", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.100.4", - "ip": "192.168.100.4" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 104, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4879,79 +4840,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.100.4", + "ip": "192.168.100.4", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8270 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392268746Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11783", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8270, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1457, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4962,75 +4917,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1457 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11784", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1457, + "mapped_source_ip": "192.168.198.40", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1457 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392269258Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1457, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.198.40", - "ip": "192.168.198.40" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5041,79 +5000,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.198.40", + "ip": "192.168.198.40", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8271 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392269650Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.198.40", - "connection_id": "11784", - "source_interface": "outside", - "mapped_destination_port": 1457 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8271, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1458, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5124,75 +5077,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392270031Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1458 }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } + "tags": [ + "preserve_original_event" + ] }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11785", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1458, + "mapped_source_ip": "192.168.198.40", + "mapped_source_port": 80, + "source_interface": "outside" + } }, "destination": { - "port": 1458, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 1458 }, - "source": { - "port": 80, - "address": "192.168.198.40", - "ip": "192.168.198.40" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5203,80 +5160,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.198.40", + "ip": "192.168.198.40", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11786", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.1.107", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392270420Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.198.40", - "connection_id": "11785", - "source_interface": "outside", - "mapped_destination_port": 1458 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.1.107", - "ip": "192.168.1.107" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5287,80 +5243,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.1.107", + "ip": "192.168.1.107", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11784", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1457 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392270805Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.1.107", - "connection_id": "11786", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1457, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.198.40", - "ip": "192.168.198.40" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 593, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5371,80 +5327,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.198.40", + "ip": "192.168.198.40", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8272 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392271194Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11784", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8272, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1459, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5455,75 +5404,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1459 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11787", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1459, + "mapped_source_ip": "192.168.198.40", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1459 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392272037Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1459, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.198.40", - "ip": "192.168.198.40" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5534,80 +5487,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.198.40", + "ip": "192.168.198.40", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11786", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392272437Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.198.40", - "connection_id": "11787", - "source_interface": "outside", - "mapped_destination_port": 1459 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.1.107", - "ip": "192.168.1.107" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 375, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5618,79 +5570,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.1.107", + "ip": "192.168.1.107", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8273 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392272904Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11786", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8273, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1460, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "inside" + "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { - "name": "outside" + "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5701,75 +5647,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1460 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11788", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1460, + "mapped_source_ip": "192.168.192.44", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1460 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392273296Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1460, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.192.44", - "ip": "192.168.192.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5780,36 +5730,42 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.192.44", + "ip": "192.168.192.44", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392273739Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.192.44", - "connection_id": "11788", - "source_interface": "outside", - "mapped_destination_port": 1460 - } - } - }, - { + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, "observer": { "hostname": "localhost", "product": "asa", @@ -5820,86 +5776,73 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } }, - "host": { - "hostname": "localhost" + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392274178Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8277, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1385, - "address": "172.31.156.80", - "ip": "172.31.156.80" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5910,75 +5853,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.156.80", + "ip": "172.31.156.80", + "port": 1385 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11797", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.156.80", + "mapped_destination_port": 1385, + "mapped_source_ip": "192.168.19.254", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.156.80", + "ip": "172.31.156.80", + "port": 1385 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392274558Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1385, - "address": "172.31.156.80", - "ip": "172.31.156.80" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5989,36 +5936,42 @@ "172.31.156.80" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392274950Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.156.80", - "mapped_source_ip": "192.168.19.254", - "connection_id": "11797", - "source_interface": "outside", - "mapped_destination_port": 1385 - } - } - }, - { + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, "observer": { "hostname": "localhost", "product": "asa", @@ -6029,43 +5982,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392275335Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -6076,43 +6028,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392275877Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -6123,43 +6074,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392276337Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -6170,43 +6120,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392276720Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -6217,43 +6166,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392277117Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -6264,87 +6212,80 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11564", + "destination_interface": "inside", + "source_interface": "outside" + } }, - "host": { - "hostname": "localhost" + "destination": { + "address": "172.31.156.80", + "ip": "172.31.156.80", + "port": 1382 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392277514Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30", - "code": "305012", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 325000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:29:31.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": {} - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1382, - "address": "172.31.156.80", - "ip": "172.31.156.80" - }, - "source": { - "port": 80, - "address": "192.168.115.46", - "ip": "192.168.115.46" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 575, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6355,81 +6296,80 @@ "172.31.156.80" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.115.46", + "ip": "192.168.115.46", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11797", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.156.80", + "ip": "172.31.156.80", + "port": 1385 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 325000000000, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392277910Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:29:31.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11564", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1385, - "address": "172.31.156.80", - "ip": "172.31.156.80" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 5391, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6440,80 +6380,73 @@ "172.31.156.80" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8278 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392278341Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11797", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8278, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1386, - "address": "172.31.156.80", - "ip": "172.31.156.80" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6524,75 +6457,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392278729Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "172.31.156.80", + "ip": "172.31.156.80", + "port": 1386 }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } + "tags": [ + "preserve_original_event" + ] }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11798", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.156.80", + "mapped_destination_port": 1386, + "mapped_source_ip": "192.168.115.46", + "mapped_source_port": 80, + "source_interface": "outside" + } }, "destination": { - "port": 1386, "address": "172.31.156.80", - "ip": "172.31.156.80" + "ip": "172.31.156.80", + "port": 1386 }, - "source": { - "port": 80, - "address": "192.168.115.46", - "ip": "192.168.115.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6603,79 +6540,76 @@ "172.31.156.80" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.115.46", + "ip": "192.168.115.46", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392279121Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.156.80", - "mapped_source_ip": "192.168.115.46", - "connection_id": "11798", - "source_interface": "outside", - "mapped_destination_port": 1386 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6686,77 +6620,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392279530Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6767,77 +6700,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392279924Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { "destination_interface": "inside", "rule_name": "inbound", "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "warning" }, "destination": { - "port": 8277, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 8277 }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" + "ecs": { + "version": "1.12.0" }, - "tags": [ - "preserve_original_event" - ], - "network": { + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, + "type": [ + "info", + "denied" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "warning" + }, + "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6848,77 +6780,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392280312Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6929,77 +6860,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392281299Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7010,77 +6940,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392281722Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7091,77 +7020,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392282105Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7172,77 +7100,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392282489Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7253,77 +7180,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392282870Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7334,77 +7260,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392283254Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { "destination_interface": "inside", "rule_name": "inbound", "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "warning" }, "destination": { - "port": 8277, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 8277 }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, + "type": [ + "info", + "denied" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7415,77 +7340,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392283793Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7496,77 +7420,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392284175Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7577,77 +7500,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392284554Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7658,77 +7580,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8279 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392284937Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279", + "severity": 6, "type": [ - "info", - "denied" - ], - "outcome": "failure" + "info" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8279, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1275, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7739,75 +7657,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1275 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11799", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1275, + "mapped_source_ip": "192.168.205.99", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1275 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392285319Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1275, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.205.99", - "ip": "192.168.205.99" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7818,79 +7740,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.205.99", + "ip": "192.168.205.99", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 1190 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392285708Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.205.99", - "connection_id": "11799", - "source_interface": "outside", - "mapped_destination_port": 1275 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1190, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7901,159 +7817,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392286159Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } + "tags": [ + "preserve_original_event" + ] }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11800", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.14.30", + "mapped_source_port": 53, + "source_interface": "outside" + } }, "destination": { - "port": 56132, "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.14.30", - "ip": "192.168.14.30" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "17", - "transport": "udp", - "direction": "outbound" - }, - "observer": { - "ingress": { - "interface": { - "name": "outside" - } - }, - "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "ip": "172.31.98.44", + "port": 56132 }, - "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "localhost" - ], - "ip": [ - "192.168.14.30", - "172.31.98.44" - ] - }, - "host": { - "hostname": "localhost" - }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392286578Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.14.30", - "connection_id": "11800", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.14.30", - "ip": "192.168.14.30" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 373, + "direction": "outbound", "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -8064,166 +7900,164 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.14.30", + "ip": "192.168.14.30", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11800", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392286982Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11800", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.252.210", - "ip": "192.168.252.210" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 373, "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.252.210", + "192.168.14.30", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.14.30", + "ip": "192.168.14.30", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11801", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.252.210", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392287364Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.252.210", - "connection_id": "11801", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.252.210", - "ip": "192.168.252.210" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 207, + "direction": "outbound", "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, - "related": { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { "hosts": [ "localhost" ], @@ -8232,404 +8066,399 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.252.210", + "ip": "192.168.252.210", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11801", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392287749Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11801", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8280, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1276, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "iana_number": "6", - "transport": "tcp" + "bytes": 207, + "iana_number": "17", + "transport": "udp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.252.210", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.252.210", + "ip": "192.168.252.210", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8280 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392288129Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1276, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1276 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11802", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1276, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1276 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392288577Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11802", - "source_interface": "outside", - "mapped_destination_port": 1276 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8281, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392288961Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { "destination_interface": "outside", "source_interface": "inside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 1277, - "address": "172.31.98.44", - "ip": "172.31.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8281 }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1277 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11803", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1277, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392289348Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11803", - "source_interface": "outside", - "mapped_destination_port": 1277 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1276, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 12853, + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -8640,243 +8469,240 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11802", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1276 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392289737Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11802", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8282, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1278, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 12853, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8282 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392290123Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1278, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1278 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11804", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1278, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1278 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392290526Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11804", - "source_interface": "outside", - "mapped_destination_port": 1278 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 5291, + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -8887,243 +8713,240 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11803", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392291075Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11803", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8283, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1279, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 5291, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8283 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392291467Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1279, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } - }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1279 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11805", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1279, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1279 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392291849Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11805", - "source_interface": "outside", - "mapped_destination_port": 1279 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1278, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 965, + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -9134,81 +8957,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11804", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1278 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392292239Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11804", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1279, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 8605, + "bytes": 965, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -9219,243 +9041,240 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11805", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1279 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392292750Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11805", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8284, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1280, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 8605, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8284 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392293140Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1280, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1280 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11806", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1280, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1280 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392293526Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11806", - "source_interface": "outside", - "mapped_destination_port": 1280 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1280, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 3428, + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -9466,242 +9285,157 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11806", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1280 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392293919Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11806", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8285, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1281, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 3428, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392294316Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { "destination_interface": "outside", "source_interface": "inside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 1281, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "6", - "transport": "tcp", - "direction": "outbound" - }, - "observer": { - "ingress": { - "interface": { - "name": "outside" - } - }, - "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8285 }, - "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "localhost" - ], - "ip": [ - "192.168.98.165", - "172.31.98.44" - ] - }, - "host": { - "hostname": "localhost" - }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392294800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11807", - "source_interface": "outside", - "mapped_destination_port": 1281 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8286, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1282, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -9712,75 +9446,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1281 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11807", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1281, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1281 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392295581Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1282, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -9791,79 +9529,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8286 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392295970Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11808", - "source_interface": "outside", - "mapped_destination_port": 1282 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8287, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1283, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -9874,75 +9606,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392296358Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1282 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { - "destination_interface": "outside", - "source_interface": "inside" + "connection_id": "11808", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1282, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 1283, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 1282 }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -9953,79 +9689,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8287 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392296746Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11809", - "source_interface": "outside", - "mapped_destination_port": 1283 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8288, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1284, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10036,75 +9766,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1283 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11809", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1283, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1283 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392297132Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1284, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10115,165 +9849,156 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8288 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392297520Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11810", - "source_interface": "outside", - "mapped_destination_port": 1284 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1281, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 2028, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1284 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11810", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1284, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1284 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392297912Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11807", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1282, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 1085, + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10284,81 +10009,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11807", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1281 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392298311Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11808", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1283, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 868, + "bytes": 2028, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10369,159 +10093,164 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11808", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1282 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392298703Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11809", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8289, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1285, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "6", - "transport": "tcp" + "network": { + "bytes": 1085, + "iana_number": "6", + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11809", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1283 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392299591Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289", - "code": "305011", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1285, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 868, "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10532,79 +10261,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8289 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392300071Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11811", - "source_interface": "outside", - "mapped_destination_port": 1285 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8290, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1286, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10615,75 +10338,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1285 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11811", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1285, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1285 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392300562Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1286, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10694,243 +10421,240 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8290 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392300953Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11812", - "source_interface": "outside", - "mapped_destination_port": 1286 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1284, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 4439, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1286 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11812", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1286, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1286 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392331831Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11810", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8291, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1287, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11810", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1284 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392332418Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291", - "code": "305011", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1287, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 4439, "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10941,165 +10665,156 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392332832Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11813", - "source_interface": "outside", - "mapped_destination_port": 1287 + "destination_interface": "outside", + "source_interface": "inside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 1285, - "address": "172.31.98.44", - "ip": "172.31.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8291 }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 914, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1287 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11813", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1287, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1287 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392333382Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11811", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1286, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 871, + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -11110,495 +10825,573 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11811", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1285 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392333780Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11812", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.100.107", - "ip": "192.168.100.107" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "bytes": 914, + "iana_number": "6", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.100.107", + "192.168.98.165", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392334162Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { + "connection_id": "11812", "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.100.107", - "connection_id": "11814", - "source_interface": "outside", - "mapped_destination_port": 56132 + "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 8292, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1288, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 1286 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 871, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11814", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.100.107", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392334548Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1288, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "direction": "outbound", + "iana_number": "17", + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", + "192.168.100.107", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.100.107", + "ip": "192.168.100.107", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8292 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392334941Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11815", - "source_interface": "outside", - "mapped_destination_port": 1288 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.100.107", - "ip": "192.168.100.107" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 384, - "iana_number": "17", - "transport": "udp" + "iana_number": "6", + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.100.107", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392335360Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1288 }, - "cisco": { - "asa": { + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11815", "destination_interface": "inside", - "connection_id": "11814", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1288, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 56132, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 1288 }, - "source": { - "port": 53, - "address": "192.168.104.8", - "ip": "192.168.104.8" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { - "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "direction": "outbound", + "iana_number": "6", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.104.8", + "192.168.98.165", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11814", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392335922Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 384, + "iana_number": "17", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "192.168.100.107", + "172.31.98.44" + ] + }, + "source": { + "address": "192.168.100.107", + "ip": "192.168.100.107", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { + "connection_id": "11816", "destination_interface": "inside", - "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, "mapped_source_ip": "192.168.104.8", - "connection_id": "11816", - "source_interface": "outside", - "mapped_destination_port": 56132 + "mapped_source_port": 53, + "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 56132, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 56132 }, - "source": { - "port": 53, - "address": "192.168.104.8", - "ip": "192.168.104.8" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 94, + "direction": "outbound", "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -11609,79 +11402,156 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.104.8", + "ip": "192.168.104.8", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11816", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392336314Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11816", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8293, - "address": "192.168.98.44", - "ip": "192.168.98.44" + "network": { + "bytes": 94, + "iana_number": "17", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "192.168.104.8", + "172.31.98.44" + ] }, "source": { - "port": 1289, - "address": "172.31.98.44", - "ip": "172.31.98.44" + "address": "192.168.104.8", + "ip": "192.168.104.8", + "port": 53 }, "tags": [ "preserve_original_event" - ], + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8293 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -11692,75 +11562,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1289 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11817", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1289, + "mapped_source_ip": "192.168.123.191", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1289 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392336694Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1289, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.123.191", - "ip": "192.168.123.191" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -11771,80 +11645,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.123.191", + "ip": "192.168.123.191", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11815", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1288 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392337071Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.123.191", - "connection_id": "11817", - "source_interface": "outside", - "mapped_destination_port": 1289 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1288, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 945, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -11855,81 +11729,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11813", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1287 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392337463Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11815", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1287, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 13284, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -11940,81 +11813,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11818", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.100.4", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392337912Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11813", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.100.4", - "ip": "192.168.100.4" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12025,80 +11896,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392338372Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.100.4", + "ip": "192.168.100.4", + "port": 53 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.100.4", "connection_id": "11818", - "source_interface": "outside", - "mapped_destination_port": 56132 + "destination_interface": "inside", + "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.100.4", - "ip": "192.168.100.4" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 104, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12109,79 +11979,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.100.4", + "ip": "192.168.100.4", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8294 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392338762Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11818", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8294, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1290, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12192,75 +12056,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1290 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11819", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1290, + "mapped_source_ip": "192.168.198.25", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1290 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392339144Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1290, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.198.25", - "ip": "192.168.198.25" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12271,80 +12139,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.198.25", + "ip": "192.168.198.25", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "9828", + "destination_interface": "NP Identity Ifc", + "source_interface": "outside" + } + }, + "destination": { + "address": "255.255.255.255", + "ip": "255.255.255.255", + "port": 68 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392339547Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 3526000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", + "severity": 6, + "start": "2018-10-10T11:36:10.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.198.25", - "connection_id": "11819", - "source_interface": "outside", - "mapped_destination_port": 1290 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" - }, - "destination": { - "port": 68, - "address": "255.255.255.255", - "ip": "255.255.255.255" - }, - "source": { - "port": 67, - "address": "192.168.48.1", - "ip": "192.168.48.1" - }, - "tags": [ - "preserve_original_event" - ], + }, "network": { "bytes": 58512, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "NP Identity Ifc" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "NP Identity Ifc" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12355,36 +12222,42 @@ "255.255.255.255" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.48.1", + "ip": "192.168.48.1", + "port": 67 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 3526000000000, - "ingested": "2021-12-14T14:36:23.392339941Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", - "code": "302016", - "kind": "event", - "start": "2018-10-10T11:36:10.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "NP Identity Ifc", - "connection_id": "9828", - "source_interface": "outside" - } - } - }, - { + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, "observer": { "hostname": "localhost", "product": "asa", @@ -12395,87 +12268,79 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11820", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.3.39", + "mapped_source_port": 53, + "source_interface": "outside" + } }, - "host": { - "hostname": "localhost" + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392340486Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.3.39", - "ip": "192.168.3.39" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12486,164 +12351,245 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.3.39", + "ip": "192.168.3.39", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11821", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.162.30", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392340873Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, + "network": { + "direction": "outbound", + "iana_number": "17", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "192.168.162.30", + "172.31.98.44" + ] + }, + "source": { + "address": "192.168.162.30", + "ip": "192.168.162.30", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.3.39", "connection_id": "11820", - "source_interface": "outside", - "mapped_destination_port": 56132 + "destination_interface": "inside", + "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.162.30", - "ip": "192.168.162.30" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 168, "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.162.30", + "192.168.3.39", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.3.39", + "ip": "192.168.3.39", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11822", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.3.39", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392341260Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.162.30", - "connection_id": "11821", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.3.39", - "ip": "192.168.3.39" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 168, + "direction": "outbound", "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12654,332 +12600,328 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.3.39", + "ip": "192.168.3.39", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11821", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392341649Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11820", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.3.39", - "ip": "192.168.3.39" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 198, "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.3.39", + "192.168.162.30", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.162.30", + "ip": "192.168.162.30", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11822", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392342036Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.3.39", - "connection_id": "11822", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { - "level": "informational" - }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.162.30", - "ip": "192.168.162.30" + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 198, + "bytes": 150, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.162.30", + "192.168.3.39", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.3.39", + "ip": "192.168.3.39", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11823", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.48.186", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392342430Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11821", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.3.39", - "ip": "192.168.3.39" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 150, + "direction": "outbound", "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.3.39", + "192.168.48.186", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.48.186", + "ip": "192.168.48.186", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11823", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392343042Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11822", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.48.186", - "ip": "192.168.48.186" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 84, "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12990,326 +12932,322 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.48.186", + "ip": "192.168.48.186", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8295 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392343436Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.48.186", - "connection_id": "11823", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.48.186", - "ip": "192.168.48.186" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 84, - "iana_number": "17", - "transport": "udp" + "iana_number": "6", + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.48.186", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1291 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11824", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1291, + "mapped_source_ip": "192.168.54.190", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1291 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392343834Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11823", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8295, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1291, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.54.190", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.54.190", + "ip": "192.168.54.190", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11825", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.254.94", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392344219Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1291, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.54.190", - "ip": "192.168.54.190" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "direction": "outbound", + "iana_number": "17", + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.54.190", + "192.168.254.94", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.254.94", + "ip": "192.168.254.94", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11825", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392344603Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.54.190", - "connection_id": "11824", - "source_interface": "outside", - "mapped_destination_port": 1291 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.254.94", - "ip": "192.168.254.94" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 188, "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -13320,566 +13258,560 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.254.94", + "ip": "192.168.254.94", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8296 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392345309Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.254.94", - "connection_id": "11825", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.254.94", - "ip": "192.168.254.94" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 188, - "iana_number": "17", - "transport": "udp" + "iana_number": "6", + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.254.94", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1292 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11826", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1292, + "mapped_source_ip": "192.168.54.190", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1292 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392345724Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11825", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8296, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1292, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.54.190", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.54.190", + "ip": "192.168.54.190", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8297 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392346155Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1292, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.54.190", - "ip": "192.168.54.190" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.54.190", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1293 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11827", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1293, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1293 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392346538Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.54.190", - "connection_id": "11826", - "source_interface": "outside", - "mapped_destination_port": 1292 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8297, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1293, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8298 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392347062Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1293, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1294 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11828", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1294, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1294 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392347493Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11827", - "source_interface": "outside", - "mapped_destination_port": 1293 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8298, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1294, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11827", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1293 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392347879Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298", - "code": "305011", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], - "type": [ - "info" - ] - }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1294, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 5964, "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -13890,326 +13822,233 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8299 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392350938Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11828", - "source_interface": "outside", - "mapped_destination_port": 1294 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1293, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 5964, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1295 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11829", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1295, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1295 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392351425Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11827", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8299, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1295, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392351832Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { "destination_interface": "outside", "source_interface": "inside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 1295, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "6", - "transport": "tcp", - "direction": "outbound" - }, - "observer": { - "ingress": { - "interface": { - "name": "outside" - } - }, - "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8300 }, - "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "localhost" - ], - "ip": [ - "192.168.98.165", - "172.31.98.44" - ] - }, - "host": { - "hostname": "localhost" - }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392352277Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11829", - "source_interface": "outside", - "mapped_destination_port": 1295 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8300, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1296, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14220,75 +14059,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1296 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11830", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1296, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1296 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392352660Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1296, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14299,80 +14142,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11828", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1294 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392353056Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11830", - "source_interface": "outside", - "mapped_destination_port": 1296 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1294, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 6694, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14383,81 +14226,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11829", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1295 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392353443Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11828", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1295, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 1493, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14468,81 +14310,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11830", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1296 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392353834Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11829", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1296, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 893, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14553,80 +14394,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8301 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392354338Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11830", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8301, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1297, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14637,75 +14471,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1297 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11831", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1297, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1297 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392354819Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1297, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14716,79 +14554,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8302 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392355201Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11831", - "source_interface": "outside", - "mapped_destination_port": 1297 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8302, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1298, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14799,75 +14631,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1298 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11832", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1298, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1298 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392355589Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1298, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14878,164 +14714,162 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11833", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.179.9", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392355970Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11832", - "source_interface": "outside", - "mapped_destination_port": 1298 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.179.9", - "ip": "192.168.179.9" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "192.168.179.9", + "172.31.98.44" + ] + }, + "source": { + "address": "192.168.179.9", + "ip": "192.168.179.9", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11833", + "destination_interface": "inside", + "source_interface": "outside" } }, - "@timestamp": "2018-10-10T12:34:56.000Z", + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "localhost" - ], - "ip": [ - "192.168.179.9", - "172.31.98.44" - ] - }, - "host": { - "hostname": "localhost" - }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392356356Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.179.9", - "connection_id": "11833", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.179.9", - "ip": "192.168.179.9" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 150, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15046,80 +14880,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.179.9", + "ip": "192.168.179.9", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11831", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1297 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392356915Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11833", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1297, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 2750, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15130,80 +14964,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8303 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392357359Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11831", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8303, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1299, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15214,75 +15041,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1299 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11834", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1299, + "mapped_source_ip": "192.168.247.99", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1299 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392357732Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1299, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.247.99", - "ip": "192.168.247.99" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15293,79 +15124,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.247.99", + "ip": "192.168.247.99", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8304 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392358108Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.247.99", - "connection_id": "11834", - "source_interface": "outside", - "mapped_destination_port": 1299 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8304, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1300, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15376,75 +15201,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1300 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11835", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1300, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1300 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392358506Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1300, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15455,80 +15284,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11832", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1298 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392358890Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11835", - "source_interface": "outside", - "mapped_destination_port": 1300 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1298, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 881, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15539,81 +15368,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11835", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1300 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392359300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11832", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1300, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 2202, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15624,80 +15452,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8305 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:23.392359681Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11835", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8305, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1301, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15708,75 +15529,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1301 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11836", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1301, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1301 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392360081Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1301, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15787,79 +15612,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8306 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392360464Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11836", - "source_interface": "outside", - "mapped_destination_port": 1301 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8306, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1302, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15870,75 +15689,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1302 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11837", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1302, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1302 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392360887Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1302, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15949,36 +15772,42 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392361275Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11837", - "source_interface": "outside", - "mapped_destination_port": 1302 - } - } - }, - { + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, "observer": { "hostname": "localhost", "product": "asa", @@ -15989,43 +15818,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392361672Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16036,43 +15864,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392362106Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16083,43 +15910,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392362496Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16130,43 +15956,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392362884Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16177,43 +16002,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392363275Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16224,43 +16048,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392363790Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16271,43 +16094,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392364251Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16318,43 +16140,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392364654Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16365,43 +16186,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" - }, - "host": { - "hostname": "localhost" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392365058Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16412,43 +16232,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392365444Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16459,43 +16278,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392365831Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16506,43 +16324,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392366363Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16553,43 +16370,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392366745Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16600,43 +16416,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392367131Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16647,86 +16462,73 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } }, - "host": { - "hostname": "localhost" + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8308 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392367520Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8308, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1304, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -16737,75 +16539,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1304 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11840", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1304, + "mapped_source_ip": "192.168.205.99", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1304 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392367906Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1304, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.205.99", - "ip": "192.168.205.99" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -16816,36 +16622,42 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.205.99", + "ip": "192.168.205.99", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392368291Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.205.99", - "connection_id": "11840", - "source_interface": "outside", - "mapped_destination_port": 1304 - } - } - }, - { + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, "observer": { "hostname": "localhost", "product": "asa", @@ -16856,43 +16668,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392369497Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16903,87 +16714,79 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11841", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.0.124", + "mapped_source_port": 53, + "source_interface": "outside" + } }, - "host": { - "hostname": "localhost" + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392369981Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.0.124", - "ip": "192.168.0.124" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -16994,80 +16797,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.0.124", + "ip": "192.168.0.124", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11842", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.160.2", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392370368Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.0.124", - "connection_id": "11841", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.160.2", - "ip": "192.168.160.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -17078,80 +16880,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.160.2", + "ip": "192.168.160.2", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11841", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392370757Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.160.2", - "connection_id": "11842", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.0.124", - "ip": "192.168.0.124" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 318, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -17162,163 +16963,156 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.0.124", + "ip": "192.168.0.124", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11842", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392371152Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11841", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.160.2", - "ip": "192.168.160.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 104, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "192.168.160.2", + "172.31.98.44" + ] + }, + "source": { + "address": "192.168.160.2", + "ip": "192.168.160.2", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" } }, - "@timestamp": "2018-10-10T12:34:56.000Z", + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8309 + }, "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "localhost" - ], - "ip": [ - "192.168.160.2", - "172.31.98.44" - ] - }, - "host": { - "hostname": "localhost" - }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:36:23.392371921Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11842", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8309, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1305, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -17329,75 +17123,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1305 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11843", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1305, + "mapped_source_ip": "192.168.124.24", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1305 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392372309Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1305, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -17408,36 +17206,42 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392372701Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.124.24", - "connection_id": "11843", - "source_interface": "outside", - "mapped_destination_port": 1305 - } - } - }, - { + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, "observer": { "hostname": "localhost", "product": "asa", @@ -17448,43 +17252,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392373143Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -17495,43 +17298,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392373532Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -17542,43 +17344,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392373976Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -17589,43 +17390,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392374380Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -17636,43 +17436,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392374772Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -17683,43 +17482,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392375160Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -17730,87 +17528,80 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11843", + "destination_interface": "inside", + "source_interface": "outside" + } }, - "host": { - "hostname": "localhost" + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1305 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392375552Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30", - "code": "305012", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 4000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:34:52.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "asa": {} - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1305, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 410333, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -17821,80 +17612,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 4000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:36:23.392375940Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:52.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ - "connection", - "end" + "info", + "denied" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "11843", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -17905,77 +17692,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392376383Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -17986,77 +17772,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392376827Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18067,77 +17852,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392377207Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" + "destination_interface": "outside", + "source_interface": "inside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8310 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8310, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1306, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18148,75 +17929,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1306 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "connection_id": "11844", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1306, + "mapped_source_ip": "192.168.124.24", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1306 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392377593Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1306, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18227,79 +18012,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:23.392377973Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.124.24", - "connection_id": "11844", - "source_interface": "outside", - "mapped_destination_port": 1306 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18310,77 +18092,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392378359Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "outside" + "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { - "name": "inside" + "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18391,77 +18172,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392378856Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18472,77 +18252,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392379243Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18553,77 +18332,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392379646Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18634,77 +18412,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392380031Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18715,77 +18492,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392380419Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18796,77 +18572,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392380815Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18877,77 +18652,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392381654Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18958,77 +18732,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392382043Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19039,77 +18812,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392382435Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19120,77 +18892,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392383192Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19201,77 +18972,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392383622Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19282,77 +19052,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392384003Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19363,77 +19132,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392384387Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19444,77 +19212,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392384777Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "outside" + "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { - "name": "inside" + "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19525,77 +19292,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392385164Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19606,77 +19372,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392385644Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19687,77 +19452,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392386078Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19768,77 +19532,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392386463Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19849,77 +19612,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392386854Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19930,77 +19692,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392387238Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20011,77 +19772,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392388043Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "outside" + "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { - "name": "inside" + "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20092,77 +19852,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392388593Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20173,77 +19932,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392388980Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20254,77 +20012,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392389354Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20335,77 +20092,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392389737Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20416,77 +20172,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392390117Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20497,77 +20252,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392390504Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20578,77 +20332,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392391090Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "outside" + "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { - "name": "inside" + "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20659,77 +20412,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392391472Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20740,77 +20492,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392391852Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20821,77 +20572,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392392260Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20902,32 +20652,14 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:23.392392637Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json index b1cfaed7e01..3df231a2ddb 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json @@ -1,68 +1,67 @@ { "expected": [ { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, "@timestamp": "2020-02-20T16:11:11.000Z", + "cisco": { + "asa": { + "connection_type": "AnyConnect", + "dap_records": [ + "dap_1", + "dap_2" + ] + } + }, "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "81.2.69.144" + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "734001", + "kind": "event", + "original": "Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 81.2.69.144, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", + "severity": 6, + "type": [ + "info" ] }, "log": { "level": "informational" }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, "source": { + "address": "81.2.69.144", "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", "ip": "81.2.69.144" }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:56.018932055Z", - "original": "Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 81.2.69.144, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", - "code": "734001", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] - }, - "user": { - "email": "firsname.lastname@domain.net" - }, - "cisco": { - "asa": { - "connection_type": "AnyConnect", - "dap_records": [ - "dap_1", - "dap_2" - ] - } - }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "email": "firsname.lastname@domain.net" + } } ] } \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json index 06df5e68ca5..453de60c1dd 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json @@ -1,6 +1,32 @@ { "expected": [ { + "@timestamp": "2022-01-01T01:00:27.000Z", + "cisco": { + "asa": {} + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "999999", + "kind": "event", + "original": "Jan 1 01:00:27 beats asa[1234]: %ASA-7-999999: This message is not filtered.", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "hostname": "beats" + }, + "log": { + "level": "debug" + }, "observer": { "hostname": "beats", "product": "asa", @@ -11,43 +37,39 @@ "name": "asa", "pid": 1234 }, - "@timestamp": "2021-01-01T01:00:27.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "beats" ] }, - "log": { - "level": "debug" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-01-01T01:00:30.000Z", + "cisco": { + "asa": {} }, - "host": { - "hostname": "beats" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 7, - "ingested": "2021-12-14T14:36:56.170625119Z", - "original": "Jan 1 01:00:27 beats asa[1234]: %ASA-7-999999: This message is not filtered.", - "code": "999999", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "999999", + "kind": "event", + "original": "Jan 1 01:00:30 beats asa[1234]: %ASA-8-999999: This phony message is dropped due to log level.", + "severity": 8, "type": [ "info" ] }, - "cisco": { - "asa": {} + "host": { + "hostname": "beats" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "beats", "product": "asa", @@ -58,79 +80,70 @@ "name": "asa", "pid": 1234 }, - "@timestamp": "2021-01-01T01:00:30.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "beats" ] }, - "host": { - "hostname": "beats" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-01-01T01:02:12.000Z", + "cisco": { + "asa": { + "source_interface": "eth0" + } + }, + "destination": { + "address": "192.168.33.12", + "ip": "192.168.33.12", + "port": 443 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 8, - "ingested": "2021-12-14T14:36:56.170627623Z", - "original": "Jan 1 01:00:30 beats asa[1234]: %ASA-8-999999: This phony message is dropped due to log level.", - "code": "999999", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106001", + "kind": "event", + "original": "Jan 1 01:02:12 beats asa[1234]: %ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", + "outcome": "failure", + "severity": 2, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "asa": {} - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "process": { - "name": "asa", - "pid": 1234 + "host": { + "hostname": "beats" }, "log": { "level": "critical" }, - "destination": { - "port": 443, - "address": "192.168.33.12", - "ip": "192.168.33.12" - }, - "source": { - "port": 45321, - "address": "10.13.12.11", - "ip": "10.13.12.11" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "inbound", "iana_number": "6", - "transport": "tcp", - "direction": "inbound" + "transport": "tcp" }, "observer": { + "hostname": "beats", "ingress": { "interface": { "name": "eth0" } }, - "hostname": "beats", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2021-01-01T01:02:12.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "asa", + "pid": 1234 }, "related": { "hosts": [ @@ -141,30 +154,14 @@ "192.168.33.12" ] }, - "host": { - "hostname": "beats" - }, - "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:56.170628084Z", - "original": "Jan 1 01:02:12 beats asa[1234]: %ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", - "code": "106001", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "10.13.12.11", + "ip": "10.13.12.11", + "port": 45321 }, - "cisco": { - "asa": { - "source_interface": "eth0" - } - } + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json index ab94e9534a0..414f747ca6e 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json @@ -1,21 +1,38 @@ { "expected": [ { - "log": { - "level": "informational" + "@timestamp": "2019-10-10T10:21:36.000Z", + "cisco": { + "asa": { + "mapped_source_ip": "10.0.55.66" + } }, "destination": { "domain": "target.destination.hostname.local" }, - "source": { - "nat": { - "ip": "10.0.55.66" - }, - "domain": "Prod-host.name.addr" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302021", + "kind": "event", + "original": "Oct 10 2019 10:21:36 localhost: %ASA-6-302021: Teardown ICMP connection for faddr target.destination.hostname.local/10005 gaddr 10.0.55.66/0 laddr Prod-host.name.addr/0", + "severity": 6, + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" @@ -26,10 +43,6 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-10-10T10:21:36.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost", @@ -40,45 +53,52 @@ "10.0.55.66" ] }, - "host": { - "hostname": "localhost" + "source": { + "domain": "Prod-host.name.addr", + "nat": { + "ip": "10.0.55.66" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2011-06-04T21:59:52.000Z", + "cisco": { + "asa": { + "icmp_code": 0, + "icmp_type": 8, + "mapped_source_ip": "192.168.2.134" + } + }, + "destination": { + "address": "192.168.2.15", + "ip": "192.168.2.15" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:56.443349711Z", - "original": "Oct 10 2019 10:21:36 localhost: %ASA-6-302021: Teardown ICMP connection for faddr target.destination.hostname.local/10005 gaddr 10.0.55.66/0 laddr Prod-host.name.addr/0", - "code": "302021", - "kind": "event", "action": "flow-expiration", "category": [ "network" ], + "code": "302021", + "kind": "event", + "original": "Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.15/0 gaddr 192.168.2.134/57808 laddr 192.168.2.134/57808 type 8 code 0", + "severity": 6, "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "mapped_source_ip": "10.0.55.66" - } - } - }, - { + "host": { + "hostname": "MYHOSTNAME" + }, "log": { "level": "informational" }, - "destination": { - "address": "192.168.2.15", - "ip": "192.168.2.15" - }, - "source": { - "address": "192.168.2.134", - "ip": "192.168.2.134" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" @@ -89,10 +109,6 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2011-06-04T21:59:52.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "MYHOSTNAME" @@ -102,31 +118,13 @@ "192.168.2.15" ] }, - "host": { - "hostname": "MYHOSTNAME" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:56.443351777Z", - "original": "Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.15/0 gaddr 192.168.2.134/57808 laddr 192.168.2.134/57808 type 8 code 0", - "code": "302021", - "kind": "event", - "action": "flow-expiration", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "192.168.2.134", + "ip": "192.168.2.134" }, - "cisco": { - "asa": { - "mapped_source_ip": "192.168.2.134", - "icmp_type": 8, - "icmp_code": 0 - } - } + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json index 2f08c6f88d6..b67d76d951d 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json @@ -1,44 +1,62 @@ { "expected": [ { - "log": { - "level": "notification" + "@timestamp": "2019-10-04T15:27:55.000Z", + "cisco": { + "asa": { + "destination_interface": "OUTSIDE", + "rule_name": "AL-DMZ-LB-IN", + "source_interface": "LB-DMZ" + } }, "destination": { + "address": "81.2.69.144", "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "ip": "81.2.69.144" + "ip": "81.2.69.144", + "port": 53 }, - "syslog": { - "facility": { - "code": 165 - } + "ecs": { + "version": "1.12.0" }, - "source": { - "port": 27218, - "address": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244", - "domain": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244" + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -\u003e OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "outcome": "failure", + "severity": 5, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "OUTSIDE" + } + }, "ingress": { "interface": { "name": "LB-DMZ" @@ -46,16 +64,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "OUTSIDE" - } - } - }, - "@timestamp": "2019-10-04T15:27:55.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -65,45 +74,54 @@ "81.2.69.144" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:56.653383328Z", - "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -\u003e OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244", + "domain": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244", + "port": 27218 }, - "cisco": { - "asa": { - "destination_interface": "OUTSIDE", - "rule_name": "AL-DMZ-LB-IN", - "source_interface": "LB-DMZ" + "syslog": { + "facility": { + "code": 165 } - } + }, + "tags": [ + "preserve_original_event" + ] }, { - "log": { - "level": "informational" + "@timestamp": "2020-01-01T10:42:53.000Z", + "cisco": { + "asa": { + "mapped_source_host": "mydomain.example.net" + } }, "destination": { "address": "172.24.177.29", "ip": "172.24.177.29" }, - "source": { - "address": "192.168.132.46", - "ip": "192.168.132.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302021", + "kind": "event", + "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", + "severity": 6, + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" @@ -114,10 +132,6 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-01-01T10:42:53.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" @@ -127,77 +141,78 @@ "172.24.177.29" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.132.46", + "ip": "192.168.132.46" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-01-02T11:33:20.000Z", + "cisco": { + "asa": { + "destination_interface": "wan", + "mapped_destination_host": "www.example.org", + "mapped_destination_port": 80, + "mapped_source_host": "source.example.net", + "mapped_source_port": 11234, + "rule_name": "dynamic", + "source_interface": "eth0", + "threat_category": "malware", + "threat_level": "high" + } + }, + "destination": { + "address": "172.24.177.3", + "domain": "example.org", + "ip": "172.24.177.3", + "port": 80 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:56.653386031Z", - "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", - "code": "302021", - "kind": "event", - "action": "flow-expiration", + "action": "firewall-rule", "category": [ "network" ], + "code": "338204", + "kind": "event", + "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", + "outcome": "failure", + "severity": 4, "type": [ - "connection", - "end" + "info", + "denied" ] }, - "cisco": { - "asa": { - "mapped_source_host": "mydomain.example.net" - } - } - }, - { - "server": { - "domain": "example.org" + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "address": "172.24.177.3", - "port": 80, - "domain": "example.org", - "ip": "172.24.177.3" - }, - "source": { - "nat": { - "port": 11234 - }, - "address": "10.10.10.1", - "port": 1234, - "ip": "10.10.10.1" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "wan" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "eth0" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "wan" - } - } - }, - "@timestamp": "2020-01-02T11:33:20.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -209,38 +224,20 @@ "172.24.177.3" ] }, - "host": { - "hostname": "localhost" + "server": { + "domain": "example.org" }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:56.653386545Z", - "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", - "code": "338204", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "10.10.10.1", + "ip": "10.10.10.1", + "nat": { + "port": 11234 + }, + "port": 1234 }, - "cisco": { - "asa": { - "mapped_destination_host": "www.example.org", - "destination_interface": "wan", - "mapped_source_port": 11234, - "threat_level": "high", - "mapped_source_host": "source.example.net", - "rule_name": "dynamic", - "source_interface": "eth0", - "mapped_destination_port": 80, - "threat_category": "malware" - } - } + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json index 833642a7854..0d9ca2cf16c 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json @@ -1,27 +1,50 @@ { "expected": [ { - "log": { - "level": "warning" + "@timestamp": "2013-04-15T09:36:50.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "rule_name": "acl_dmz", + "source_interface": "dmz" + } }, "destination": { - "port": 53, "address": "192.168.0.8", - "ip": "192.168.0.8" + "ip": "192.168.0.8", + "port": 53 }, - "source": { - "port": 63016, - "address": "10.1.2.30", - "ip": "10.1.2.30" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106023", + "kind": "event", + "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "outcome": "failure", + "severity": 4, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "dmz" @@ -29,16 +52,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-15T09:36:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -46,52 +60,60 @@ "192.168.0.8" ] }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:57.032435283Z", - "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "code": "106023", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "10.1.2.30", + "ip": "10.1.2.30", + "port": 63016 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-15T09:36:50.000Z", "cisco": { "asa": { "destination_interface": "outside", "rule_name": "acl_dmz", "source_interface": "dmz" } - } - }, - { - "log": { - "level": "warning" }, "destination": { - "port": 53, "address": "192.168.0.8", - "ip": "192.168.0.8" + "ip": "192.168.0.8", + "port": 53 }, - "source": { - "port": 63016, - "address": "10.1.2.30", - "ip": "10.1.2.30" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106023", + "kind": "event", + "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "outcome": "failure", + "severity": 4, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "dmz" @@ -99,16 +121,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-15T09:36:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -116,52 +129,61 @@ "192.168.0.8" ] }, + "source": { + "address": "10.1.2.30", + "ip": "10.1.2.30", + "port": 63016 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-04-15T13:34:34.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "rule_name": "acl_in", + "source_interface": "inside", + "suffix": "session" + } + }, + "destination": { + "address": "192.168.0.89", + "ip": "192.168.0.89", + "port": 2000 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:57.032437545Z", - "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, "type": [ "info", - "denied" - ], - "outcome": "failure" + "allowed" + ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "rule_name": "acl_dmz", - "source_interface": "dmz" - } - } - }, - { "log": { "level": "notification" }, - "destination": { - "port": 2000, - "address": "192.168.0.89", - "ip": "192.168.0.89" - }, - "source": { - "port": 2241, - "address": "10.1.2.16", - "ip": "10.1.2.16" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -169,16 +191,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2014-04-15T13:34:34.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -186,71 +199,72 @@ "192.168.0.89" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032437941Z", - "original": "Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.1.2.16", + "ip": "10.1.2.16", + "port": 2241 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-24T16:00:28.000Z", "cisco": { "asa": { "destination_interface": "outside", - "suffix": "session", - "rule_name": "acl_in", + "rule_name": "inside", "source_interface": "inside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { - "port": 53, "address": "192.168.2.10", - "ip": "192.168.2.10" + "ip": "192.168.2.10", + "port": 53 }, - "source": { - "port": 1039, - "address": "172.29.2.101", - "ip": "172.29.2.101" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "outcome": "failure", + "severity": 6, + "type": [ + "info", + "denied" + ] + }, + "host": { + "hostname": "INT-FW01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "INT-FW01", "ingress": { "interface": { "name": "inside" } }, - "hostname": "INT-FW01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-24T16:00:28.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -261,73 +275,72 @@ "192.168.2.10" ] }, - "host": { - "hostname": "INT-FW01" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032438298Z", - "original": "Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "172.29.2.101", + "ip": "172.29.2.101", + "port": 1039 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-24T16:00:27.000Z", "cisco": { "asa": { "destination_interface": "outside", "rule_name": "inside", "source_interface": "inside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { - "port": 53, "address": "192.168.2.57", - "ip": "192.168.2.57" + "ip": "192.168.2.57", + "port": 53 }, - "source": { - "port": 1065, - "address": "172.29.2.3", - "ip": "172.29.2.3" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "outcome": "success", + "severity": 6, + "type": [ + "info", + "allowed" + ] + }, + "host": { + "hostname": "INT-FW01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "INT-FW01", "ingress": { "interface": { "name": "inside" } }, - "hostname": "INT-FW01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-24T16:00:27.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -338,72 +351,65 @@ "192.168.2.57" ] }, - "host": { - "hostname": "INT-FW01" + "source": { + "address": "172.29.2.3", + "ip": "172.29.2.3", + "port": 1065 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.2.130", + "ip": "192.168.2.130", + "port": 12834 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032438634Z", - "original": "Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834", + "severity": 6, "type": [ - "info", - "allowed" - ], - "outcome": "success" + "info" + ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "rule_name": "inside", - "source_interface": "inside" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 12834, - "address": "192.168.2.130", - "ip": "192.168.2.130" - }, - "source": { - "port": 4952, - "address": "10.123.3.42", - "ip": "10.123.3.42" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "ip": [ @@ -411,70 +417,74 @@ "192.168.2.130" ] }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032438971Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "10.123.3.42", + "ip": "10.123.3.42", + "port": 4952 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", "cisco": { "asa": { + "connection_id": "89743274", "destination_interface": "outside", + "mapped_destination_ip": "10.123.3.42", + "mapped_destination_port": 12834, + "mapped_source_ip": "192.168.2.43", + "mapped_source_port": 443, "source_interface": "outside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { + "address": "10.123.3.42", + "ip": "10.123.3.42", "nat": { "port": 12834 }, - "address": "10.123.3.42", - "port": 4952, - "ip": "10.123.3.42" + "port": 4952 }, - "source": { - "port": 443, - "address": "192.168.2.43", - "ip": "192.168.2.43" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "ip": [ @@ -482,71 +492,65 @@ "10.123.3.42" ] }, + "source": { + "address": "192.168.2.43", + "ip": "192.168.2.43", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.2.130", + "ip": "192.168.2.130", + "port": 25882 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032439303Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "mapped_source_port": 443, - "mapped_destination_ip": "10.123.3.42", - "mapped_source_ip": "192.168.2.43", - "connection_id": "89743274", - "source_interface": "outside", - "mapped_destination_port": 12834 - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 25882, - "address": "192.168.2.130", - "ip": "192.168.2.130" - }, - "source": { - "port": 52925, - "address": "10.123.1.35", - "ip": "10.123.1.35" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "ip": [ @@ -554,73 +558,74 @@ "192.168.2.130" ] }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032439649Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "10.123.1.35", + "ip": "10.123.1.35", + "port": 52925 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", "cisco": { "asa": { + "connection_id": "89743275", "destination_interface": "outside", + "mapped_destination_ip": "10.123.1.35", + "mapped_destination_port": 25882, + "mapped_source_ip": "192.168.2.43", + "mapped_source_port": 53, "source_interface": "outside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { + "address": "10.123.1.35", + "ip": "10.123.1.35", "nat": { "port": 25882 }, - "address": "10.123.1.35", - "port": 52925, - "ip": "10.123.1.35" + "port": 52925 }, - "source": { - "nat": { - "ip": "192.168.2.43" - }, - "address": "192.168.2.222", - "port": 53, - "ip": "192.168.2.222" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302015", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "ip": [ @@ -629,71 +634,68 @@ "10.123.1.35" ] }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "nat": { + "ip": "192.168.2.43" + }, + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.2.130", + "ip": "192.168.2.130", + "port": 45392 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032439997Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "mapped_source_port": 53, - "mapped_destination_ip": "10.123.1.35", - "mapped_source_ip": "192.168.2.43", - "connection_id": "89743275", - "source_interface": "outside", - "mapped_destination_port": 25882 - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 45392, - "address": "192.168.2.130", - "ip": "192.168.2.130" - }, - "source": { - "port": 4953, - "address": "10.123.3.42", - "ip": "10.123.3.42" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "ip": [ @@ -701,71 +703,75 @@ "192.168.2.130" ] }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032440327Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "10.123.3.42", + "ip": "10.123.3.42", + "port": 4953 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", "cisco": { "asa": { + "connection_id": "89743276", "destination_interface": "outside", + "mapped_destination_ip": "10.123.3.130", + "mapped_destination_port": 45392, + "mapped_source_ip": "192.168.2.1", + "mapped_source_port": 80, "source_interface": "outside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { + "address": "10.123.3.42", + "ip": "10.123.3.42", "nat": { - "port": 45392, - "ip": "10.123.3.130" + "ip": "10.123.3.130", + "port": 45392 }, - "address": "10.123.3.42", - "port": 4953, - "ip": "10.123.3.42" + "port": 4953 }, - "source": { - "port": 80, - "address": "192.168.2.1", - "ip": "192.168.2.1" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "ip": [ @@ -774,55 +780,63 @@ "10.123.3.130" ] }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032440655Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.2.1", + "ip": "192.168.2.1", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", "cisco": { "asa": { - "destination_interface": "outside", - "mapped_source_port": 80, - "mapped_destination_ip": "10.123.3.130", - "mapped_source_ip": "192.168.2.1", - "connection_id": "89743276", - "source_interface": "outside", - "mapped_destination_port": 45392 + "connection_id": "89743275", + "destination_interface": "inside", + "source_interface": "outside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { - "port": 52925, "address": "10.123.1.35", - "ip": "10.123.1.35" + "ip": "10.123.1.35", + "port": 52925 }, - "source": { - "port": 53, - "address": "192.168.2.222", - "ip": "192.168.2.222" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302016", + "duration": 5025000000000, + "end": "2013-04-29T12:59:50.000Z", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", + "severity": 6, + "start": "2013-04-29T11:36:05.000Z", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 140, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, "ingress": { "interface": { "name": "outside" @@ -830,16 +844,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -847,55 +852,65 @@ "10.123.1.35" ] }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco": { + "asa": { + "connection_id": "666", + "destination_interface": "inside", + "destination_username": "user2", + "source_interface": "outside", + "source_username": "user1" + } + }, + "destination": { + "address": "10.123.1.35", + "ip": "10.123.1.35", + "port": 52925 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "duration": 5025000000000, - "ingested": "2021-12-14T14:36:57.032441189Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", - "code": "302016", - "kind": "event", - "start": "2013-04-29T11:36:05.000Z", "action": "flow-expiration", - "end": "2013-04-29T12:59:50.000Z", "category": [ "network" ], + "code": "302016", + "duration": 36000000000000, + "end": "2013-04-29T12:59:50.000Z", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", + "severity": 6, + "start": "2013-04-29T02:59:50.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "connection_id": "89743275", - "source_interface": "outside" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 52925, - "address": "10.123.1.35", - "ip": "10.123.1.35" - }, - "source": { - "port": 53, - "address": "192.168.2.222", - "ip": "192.168.2.222" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 9999999, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, "ingress": { "interface": { "name": "outside" @@ -903,16 +918,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -920,49 +926,49 @@ "10.123.1.35" ] }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2011-06-04T21:59:52.000Z", + "cisco": { + "asa": { + "mapped_source_ip": "192.168.132.46" + } + }, + "destination": { + "address": "172.24.177.29", + "ip": "172.24.177.29" + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "duration": 36000000000000, - "ingested": "2021-12-14T14:36:57.032441536Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", - "code": "302016", - "kind": "event", - "start": "2013-04-29T02:59:50.000Z", "action": "flow-expiration", - "end": "2013-04-29T12:59:50.000Z", "category": [ "network" ], + "code": "302021", + "kind": "event", + "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", + "severity": 6, "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "source_username": "user1", - "destination_interface": "inside", - "connection_id": "666", - "source_interface": "outside", - "destination_username": "user2" - } - } - }, - { + "host": { + "hostname": "FJSG2NRFW01" + }, "log": { "level": "informational" }, - "destination": { - "address": "172.24.177.29", - "ip": "172.24.177.29" - }, - "source": { - "address": "192.168.132.46", - "ip": "192.168.132.46" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" @@ -973,10 +979,6 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2011-06-04T21:59:52.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "FJSG2NRFW01" @@ -986,52 +988,56 @@ "172.24.177.29" ] }, - "host": { - "hostname": "FJSG2NRFW01" + "source": { + "address": "192.168.132.46", + "ip": "192.168.132.46" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.0.130", + "ip": "192.168.0.130", + "port": 10879 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032441866Z", - "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", - "code": "302021", - "kind": "event", - "action": "flow-expiration", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "asa": { - "mapped_source_ip": "192.168.132.46" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 10879, - "address": "192.168.0.130", - "ip": "192.168.0.130" - }, - "source": { - "port": 4954, - "address": "192.168.3.42", - "ip": "192.168.3.42" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1039,16 +1045,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1056,54 +1053,67 @@ "192.168.0.130" ] }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032442214Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.3.42", + "ip": "192.168.3.42", + "port": 4954 }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - } + "tags": [ + "preserve_original_event" + ] }, { - "log": { - "level": "informational" - }, - "destination": { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco": { + "asa": { + "connection_id": "89743277", + "destination_interface": "inside", + "mapped_destination_ip": "10.0.0.130", + "mapped_destination_port": 10879, + "mapped_source_ip": "192.168.0.17", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.3.42", + "ip": "192.168.3.42", "nat": { - "port": 10879, - "ip": "10.0.0.130" + "ip": "10.0.0.130", + "port": 10879 }, - "address": "192.168.3.42", - "port": 4954, - "ip": "192.168.3.42" + "port": 4954 }, - "source": { - "port": 80, - "address": "192.168.0.17", - "ip": "192.168.0.17" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, "ingress": { "interface": { "name": "outside" @@ -1111,16 +1121,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1129,112 +1130,117 @@ "10.0.0.130" ] }, + "source": { + "address": "192.168.0.17", + "ip": "192.168.0.17", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:33.000Z", + "cisco": { + "asa": {} + }, + "destination": { + "address": "10.1.2.60", + "ip": "10.1.2.60", + "port": 53 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032442548Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106007", + "kind": "event", + "original": "Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query", + "outcome": "failure", + "severity": 2, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "10.0.0.130", - "mapped_source_ip": "192.168.0.17", - "connection_id": "89743277", - "source_interface": "outside", - "mapped_destination_port": 10879 - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "port": 53, - "address": "10.1.2.60", - "ip": "10.1.2.60" - }, - "source": { - "port": 12981, - "address": "192.168.0.66", - "ip": "192.168.0.66" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "protocol": "dns", - "transport": "udp", + "direction": "inbound", "iana_number": "17", - "direction": "inbound" + "protocol": "dns", + "transport": "udp" }, "observer": { - "type": "firewall", "product": "asa", + "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2013-04-30T09:22:33.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "192.168.0.66", "10.1.2.60" ] }, + "source": { + "address": "192.168.0.66", + "ip": "192.168.0.66", + "port": 12981 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:38.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.0.89", + "ip": "192.168.0.89", + "port": 2000 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:57.032442999Z", - "original": "Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query", - "code": "106007", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, "type": [ "info", - "denied" - ], - "outcome": "failure" + "allowed" + ] }, - "cisco": { - "asa": {} - } - }, - { "log": { "level": "notification" }, - "destination": { - "port": 2000, - "address": "192.168.0.89", - "ip": "192.168.0.89" - }, - "source": { - "port": 2006, - "address": "10.0.0.16", - "ip": "10.0.0.16" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1242,16 +1248,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:38.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1259,52 +1256,60 @@ "192.168.0.89" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032443336Z", - "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2006 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:38.000Z", "cisco": { "asa": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 40443, "address": "192.168.0.88", - "ip": "192.168.0.88" + "ip": "192.168.0.88", + "port": 40443 }, - "source": { - "port": 49734, - "address": "10.0.0.46", - "ip": "10.0.0.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1312,16 +1317,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:38.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1329,52 +1325,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032443682Z", - "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49734 }, - "cisco": { - "asa": { - "destination_interface": "outside", + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 40443, "address": "192.168.0.88", - "ip": "192.168.0.88" + "ip": "192.168.0.88", + "port": 40443 }, - "source": { - "port": 49735, - "address": "10.0.0.46", - "ip": "10.0.0.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1382,16 +1386,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:39.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1399,52 +1394,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032444019Z", - "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49735 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", "cisco": { "asa": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 40443, "address": "192.168.0.88", - "ip": "192.168.0.88" + "ip": "192.168.0.88", + "port": 40443 }, - "source": { - "port": 49736, - "address": "10.0.0.46", - "ip": "10.0.0.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1452,16 +1455,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:39.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1469,52 +1463,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032444391Z", - "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49736 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", "cisco": { "asa": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 40443, "address": "192.168.0.88", - "ip": "192.168.0.88" + "ip": "192.168.0.88", + "port": 40443 }, - "source": { - "port": 49737, - "address": "10.0.0.46", - "ip": "10.0.0.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1522,16 +1524,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:39.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1539,52 +1532,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032444718Z", - "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49737 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:40.000Z", "cisco": { "asa": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 40443, "address": "192.168.0.88", - "ip": "192.168.0.88" + "ip": "192.168.0.88", + "port": 40443 }, - "source": { - "port": 49738, - "address": "10.0.0.46", - "ip": "10.0.0.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1592,16 +1593,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:40.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1609,52 +1601,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032445173Z", - "original": "Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49738 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:41.000Z", "cisco": { "asa": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 40443, "address": "192.168.0.88", - "ip": "192.168.0.88" + "ip": "192.168.0.88", + "port": 40443 }, - "source": { - "port": 49746, - "address": "10.0.0.46", - "ip": "10.0.0.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1662,16 +1662,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:41.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1679,52 +1670,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032445603Z", - "original": "Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49746 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:47.000Z", "cisco": { "asa": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 2000, "address": "192.168.0.89", - "ip": "192.168.0.89" + "ip": "192.168.0.89", + "port": 2000 }, - "source": { - "port": 2007, - "address": "10.0.0.16", - "ip": "10.0.0.16" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1732,16 +1731,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:47.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1749,52 +1739,60 @@ "192.168.0.89" ] }, + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2007 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:48.000Z", + "cisco": { + "asa": { + "destination_interface": "dmz", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.33.31", + "ip": "192.168.33.31", + "port": 25 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032445936Z", - "original": "Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, "type": [ "info", "allowed" - ], - "outcome": "success" + ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "rule_name": "acl_in", - "source_interface": "inside" - } - } - }, - { "log": { "level": "notification" }, - "destination": { - "port": 25, - "address": "192.168.33.31", - "ip": "192.168.33.31" - }, - "source": { - "port": 43013, - "address": "10.0.0.13", - "ip": "10.0.0.13" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, "ingress": { "interface": { "name": "inside" @@ -1802,16 +1800,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } - }, - "@timestamp": "2013-04-30T09:22:48.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1819,52 +1808,60 @@ "192.168.33.31" ] }, + "source": { + "address": "10.0.0.13", + "ip": "10.0.0.13", + "port": 43013 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:56.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.0.89", + "ip": "192.168.0.89", + "port": 2000 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032446284Z", - "original": "Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, "type": [ "info", "allowed" - ], - "outcome": "success" + ] }, - "cisco": { - "asa": { - "destination_interface": "dmz", - "rule_name": "acl_in", - "source_interface": "inside" - } - } - }, - { "log": { "level": "notification" }, - "destination": { - "port": 2000, - "address": "192.168.0.89", - "ip": "192.168.0.89" - }, - "source": { - "port": 2008, - "address": "10.0.0.16", - "ip": "10.0.0.16" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1872,16 +1869,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:56.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1889,51 +1877,52 @@ "192.168.0.89" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032446613Z", - "original": "Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2008 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:02.000Z", "cisco": { "asa": { - "destination_interface": "outside", - "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "critical" }, "destination": { - "port": 137, "address": "10.1.2.42", - "ip": "10.1.2.42" + "ip": "10.1.2.42", + "port": 137 }, - "source": { - "port": 137, - "address": "192.168.2.66", - "ip": "192.168.2.66" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106006", + "kind": "event", + "original": "Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside", + "outcome": "failure", + "severity": 2, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "critical" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "inbound", "iana_number": "17", - "transport": "udp", - "direction": "inbound" + "transport": "udp" }, "observer": { "ingress": { @@ -1945,118 +1934,123 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2013-04-30T09:23:02.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "192.168.2.66", "10.1.2.42" ] }, + "source": { + "address": "192.168.2.66", + "ip": "192.168.2.66", + "port": 137 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:03.000Z", + "cisco": { + "asa": {} + }, + "destination": { + "address": "10.1.5.60", + "ip": "10.1.5.60", + "port": 53 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:57.032446941Z", - "original": "Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside", - "code": "106006", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106007", + "kind": "event", + "original": "Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "source_interface": "inside" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "port": 53, - "address": "10.1.5.60", - "ip": "10.1.5.60" - }, - "source": { - "port": 12981, - "address": "192.168.2.66", - "ip": "192.168.2.66" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "protocol": "dns", - "transport": "udp", + "direction": "inbound", "iana_number": "17", - "direction": "inbound" + "protocol": "dns", + "transport": "udp" }, "observer": { - "type": "firewall", "product": "asa", + "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2013-04-30T09:23:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "192.168.2.66", "10.1.5.60" ] }, + "source": { + "address": "192.168.2.66", + "ip": "192.168.2.66", + "port": 12981 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:06.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.0.89", + "ip": "192.168.0.89", + "port": 2000 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:57.032447268Z", - "original": "Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query", - "code": "106007", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, "type": [ "info", - "denied" - ], - "outcome": "failure" + "allowed" + ] }, - "cisco": { - "asa": {} - } - }, - { "log": { "level": "notification" }, - "destination": { - "port": 2000, - "address": "192.168.0.89", - "ip": "192.168.0.89" - }, - "source": { - "port": 2009, - "address": "10.0.0.16", - "ip": "10.0.0.16" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2064,16 +2058,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:23:06.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2081,52 +2066,60 @@ "192.168.0.89" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032447603Z", - "original": "Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2009 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:08.000Z", "cisco": { "asa": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 40443, "address": "192.168.0.88", - "ip": "192.168.0.88" + "ip": "192.168.0.88", + "port": 40443 }, - "source": { - "port": 49776, - "address": "10.0.0.46", - "ip": "10.0.0.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2134,16 +2127,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:23:08.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2151,52 +2135,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032447954Z", - "original": "Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49776 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:15.000Z", "cisco": { "asa": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 2000, "address": "192.168.0.89", - "ip": "192.168.0.89" + "ip": "192.168.0.89", + "port": 2000 }, - "source": { - "port": 2010, - "address": "10.0.0.16", - "ip": "10.0.0.16" + "ecs": { + "version": "1.12.0" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "6", + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" + }, + "network": { + "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2204,16 +2196,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:23:15.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2221,52 +2204,60 @@ "192.168.0.89" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032449780Z", - "original": "Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2010 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:24.000Z", "cisco": { "asa": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 2000, "address": "192.168.0.89", - "ip": "192.168.0.89" + "ip": "192.168.0.89", + "port": 2000 }, - "source": { - "port": 2011, - "address": "10.0.0.16", - "ip": "10.0.0.16" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "failure", + "severity": 5, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2274,16 +2265,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:23:24.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2291,52 +2273,60 @@ "192.168.0.89" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032450212Z", - "original": "Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2011 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:34.000Z", "cisco": { "asa": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 2000, "address": "192.168.0.89", - "ip": "192.168.0.89" + "ip": "192.168.0.89", + "port": 2000 }, - "source": { - "port": 2012, - "address": "10.0.0.16", - "ip": "10.0.0.16" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "failure", + "severity": 5, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2344,16 +2334,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:23:34.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2361,52 +2342,60 @@ "192.168.0.89" ] }, + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2012 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:40.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "acl_out", + "source_interface": "outside" + } + }, + "destination": { + "address": "10.0.0.132", + "ip": "10.0.0.132", + "port": 8111 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032450553Z", - "original": "Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "rule_name": "acl_in", - "source_interface": "inside" - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "port": 8111, - "address": "10.0.0.132", - "ip": "10.0.0.132" - }, - "source": { - "port": 53638, - "address": "192.168.2.126", - "ip": "192.168.2.126" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, "ingress": { "interface": { "name": "outside" @@ -2414,16 +2403,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2013-04-30T09:23:40.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2431,52 +2411,60 @@ "10.0.0.132" ] }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:57.032450977Z", - "original": "Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "code": "106023", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "192.168.2.126", + "ip": "192.168.2.126", + "port": 53638 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:41.000Z", "cisco": { "asa": { "destination_interface": "inside", "rule_name": "acl_out", "source_interface": "outside" } - } - }, - { - "log": { - "level": "warning" }, "destination": { - "port": 8111, "address": "10.0.0.132", - "ip": "10.0.0.132" + "ip": "10.0.0.132", + "port": 8111 }, - "source": { - "port": 53638, - "address": "192.168.2.126", - "ip": "192.168.2.126" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106023", + "kind": "event", + "original": "Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "outcome": "failure", + "severity": 4, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, "ingress": { "interface": { "name": "outside" @@ -2484,16 +2472,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2013-04-30T09:23:41.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2501,52 +2480,60 @@ "10.0.0.132" ] }, + "source": { + "address": "192.168.2.126", + "ip": "192.168.2.126", + "port": 53638 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:43.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.0.88", + "ip": "192.168.0.88", + "port": 40443 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:57.032451307Z", - "original": "Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, "type": [ "info", - "denied" - ], - "outcome": "failure" + "allowed" + ] }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "acl_out", - "source_interface": "outside" - } - } - }, - { "log": { "level": "notification" }, - "destination": { - "port": 40443, - "address": "192.168.0.88", - "ip": "192.168.0.88" - }, - "source": { - "port": 49840, - "address": "10.0.0.46", - "ip": "10.0.0.46" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2554,16 +2541,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:23:43.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2571,52 +2549,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032451640Z", - "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49840 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:43.000Z", "cisco": { "asa": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 2000, "address": "192.168.0.89", - "ip": "192.168.0.89" + "ip": "192.168.0.89", + "port": 2000 }, - "source": { - "port": 2013, - "address": "10.0.0.16", - "ip": "10.0.0.16" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2624,16 +2610,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:23:43.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2641,52 +2618,61 @@ "192.168.0.89" ] }, + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2013 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-04-15T13:34:34.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "rule_name": "acl_in", + "source_interface": "inside", + "suffix": "session" + } + }, + "destination": { + "address": "192.168.0.99", + "ip": "192.168.0.99", + "port": 2000 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032451973Z", - "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, "type": [ "info", "allowed" - ], - "outcome": "success" + ] }, - "cisco": { - "asa": { - "destination_interface": "outside", - "rule_name": "acl_in", - "source_interface": "inside" - } - } - }, - { "log": { "level": "notification" }, - "destination": { - "port": 2000, - "address": "192.168.0.99", - "ip": "192.168.0.99" - }, - "source": { - "port": 2241, - "address": "10.0.0.16", - "ip": "10.0.0.16" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2694,16 +2680,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2018-04-15T13:34:34.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2711,57 +2688,63 @@ "192.168.0.99" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032452301Z", - "original": "Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2241 }, - "cisco": { - "asa": { - "destination_interface": "outside", - "suffix": "session", - "rule_name": "acl_in", - "source_interface": "inside" - } - } + "tags": [ + "preserve_original_event" + ] }, { - "process": { - "name": "\u003cIP\u003e" - }, - "log": { - "level": "informational" + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco": { + "asa": { + "connection_id": "447235", + "destination_interface": "identity", + "mapped_destination_ip": "10.0.13.13", + "mapped_destination_port": 80, + "mapped_source_ip": "192.168.77.12", + "mapped_source_port": 11180, + "source_interface": "outside" + } }, "destination": { - "port": 80, "address": "10.0.13.13", - "ip": "10.0.13.13" + "ip": "10.0.13.13", + "port": 80 }, - "source": { - "port": 11180, - "address": "192.168.77.12", - "ip": "192.168.77.12" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302015", + "kind": "event", + "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "identity" + } + }, "ingress": { "interface": { "name": "outside" @@ -2769,16 +2752,10 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "identity" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:24.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "\u003cIP\u003e" }, "related": { "ip": [ @@ -2786,57 +2763,60 @@ "10.0.13.13" ] }, + "source": { + "address": "192.168.77.12", + "ip": "192.168.77.12", + "port": 11180 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "rule_name": "dmz", + "source_interface": "dmz" + } + }, + "destination": { + "address": "192.168.0.12", + "ip": "192.168.0.12", + "port": 53 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032452631Z", - "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "outcome": "failure", + "severity": 4, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "asa": { - "destination_interface": "identity", - "mapped_source_port": 11180, - "mapped_destination_ip": "10.0.13.13", - "mapped_source_ip": "192.168.77.12", - "connection_id": "447235", - "source_interface": "outside", - "mapped_destination_port": 80 - } - } - }, - { - "process": { - "name": "\u003cIP\u003e" - }, "log": { "level": "warning" }, - "destination": { - "port": 53, - "address": "192.168.0.12", - "ip": "192.168.0.12" - }, - "source": { - "port": 5555, - "address": "192.168.1.33", - "ip": "192.168.1.33" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "dmz" @@ -2844,16 +2824,10 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:24.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "\u003cIP\u003e" }, "related": { "ip": [ @@ -2861,55 +2835,60 @@ "192.168.0.12" ] }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:57.032452964Z", - "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "code": "106023", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "192.168.1.33", + "ip": "192.168.1.33", + "port": 5555 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", "cisco": { "asa": { "destination_interface": "outside", "rule_name": "dmz", "source_interface": "dmz" } - } - }, - { - "process": { - "name": "\u003cIP\u003e" - }, - "log": { - "level": "warning" }, "destination": { - "port": 53, "address": "192.168.0.12", - "ip": "192.168.0.12" + "ip": "192.168.0.12", + "port": 53 }, - "source": { - "port": 5555, - "address": "192.168.1.33", - "ip": "192.168.1.33" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106023", + "kind": "event", + "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "outcome": "failure", + "severity": 4, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "dmz" @@ -2917,16 +2896,10 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:24.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "\u003cIP\u003e" }, "related": { "ip": [ @@ -2934,73 +2907,74 @@ "192.168.0.12" ] }, + "source": { + "address": "192.168.1.33", + "ip": "192.168.1.33", + "port": 5555 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", + "cisco": { + "asa": { + "connection_id": "447236", + "destination_interface": "dmz", + "mapped_destination_host": "OCSP_Server", + "mapped_destination_port": 5678, + "mapped_source_ip": "192.168.2.222", + "mapped_source_port": 1234, + "source_interface": "outside" + } + }, + "destination": { + "address": "OCSP_Server", + "domain": "OCSP_Server", + "port": 5678 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:57.032453299Z", - "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "severity": 6, "type": [ - "info", - "denied" - ], - "outcome": "failure" - }, - "cisco": { - "asa": { - "destination_interface": "outside", - "rule_name": "dmz", - "source_interface": "dmz" - } - } - }, - { - "process": { - "name": "\u003cIP\u003e" + "info" + ] }, "log": { "level": "informational" }, - "destination": { - "port": 5678, - "address": "OCSP_Server", - "domain": "OCSP_Server" - }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "outside" + "name": "dmz" } }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { - "name": "dmz" + "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:31.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "\u003cIP\u003e" }, "related": { "hosts": [ @@ -3010,58 +2984,63 @@ "192.168.2.222" ] }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", + "cisco": { + "asa": { + "connection_id": "447236", + "destination_interface": "dmz", + "mapped_destination_host": "OCSP_Server", + "mapped_destination_port": 5678, + "mapped_source_ip": "192.168.2.222", + "mapped_source_port": 1234, + "source_interface": "outside" + } + }, + "destination": { + "address": "OCSP_Server", + "domain": "OCSP_Server", + "port": 5678 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032453635Z", - "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "asa": { - "mapped_destination_host": "OCSP_Server", - "destination_interface": "dmz", - "mapped_source_port": 1234, - "mapped_source_ip": "192.168.2.222", - "connection_id": "447236", - "source_interface": "outside", - "mapped_destination_port": 5678 - } - } - }, - { - "process": { - "name": "\u003cIP\u003e" - }, "log": { "level": "informational" }, - "destination": { - "port": 5678, - "address": "OCSP_Server", - "domain": "OCSP_Server" - }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, "ingress": { "interface": { "name": "outside" @@ -3069,16 +3048,10 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:31.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "\u003cIP\u003e" }, "related": { "hosts": [ @@ -3088,58 +3061,64 @@ "192.168.2.222" ] }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032453965Z", - "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", "cisco": { "asa": { - "mapped_destination_host": "OCSP_Server", - "destination_interface": "dmz", - "mapped_source_port": 1234, - "mapped_source_ip": "192.168.2.222", "connection_id": "447236", - "source_interface": "outside", - "mapped_destination_port": 5678 + "destination_interface": "dmz", + "source_interface": "outside" } - } - }, - { - "process": { - "name": "\u003cIP\u003e" - }, - "log": { - "level": "informational" }, "destination": { - "port": 5678, "address": "192.168.1.34", - "ip": "192.168.1.34" + "ip": "192.168.1.34", + "port": 5678 }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302014", + "duration": 0, + "end": "2018-12-11T08:01:31.000Z", + "kind": "event", + "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-12-11T08:01:31.000Z", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 14804, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, "ingress": { "interface": { "name": "outside" @@ -3147,16 +3126,10 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:31.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "\u003cIP\u003e" }, "related": { "ip": [ @@ -3164,59 +3137,64 @@ "192.168.1.34" ] }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco": { + "asa": { + "connection_id": "447234", + "destination_interface": "dmz", + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.1.35", + "ip": "192.168.1.35", + "port": 5678 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:57.032454310Z", - "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-12-11T08:01:31.000Z", "action": "flow-expiration", - "end": "2018-12-11T08:01:31.000Z", "category": [ "network" ], + "code": "302014", + "duration": 68000000000, + "end": "2018-12-11T08:01:38.000Z", + "kind": "event", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-12-11T08:00:30.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "dmz", - "connection_id": "447236", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "\u003cIP\u003e" - }, "log": { "level": "informational" }, - "destination": { - "port": 5678, - "address": "192.168.1.35", - "ip": "192.168.1.35" - }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 134781, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, "ingress": { "interface": { "name": "outside" @@ -3224,16 +3202,10 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:38.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "\u003cIP\u003e" }, "related": { "ip": [ @@ -3241,59 +3213,64 @@ "192.168.1.35" ] }, - "event": { - "severity": 6, - "duration": 68000000000, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:57.032454641Z", - "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-12-11T08:00:30.000Z", - "action": "flow-expiration", - "end": "2018-12-11T08:01:38.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", "cisco": { "asa": { - "destination_interface": "dmz", "connection_id": "447234", + "destination_interface": "dmz", "source_interface": "outside" } - } - }, - { - "process": { - "name": "\u003cIP\u003e" - }, - "log": { - "level": "informational" }, "destination": { - "port": 5678, "address": "192.168.1.35", - "ip": "192.168.1.35" + "ip": "192.168.1.35", + "port": 5678 }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302014", + "duration": 68000000000, + "end": "2018-12-11T08:01:38.000Z", + "kind": "event", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-12-11T08:00:30.000Z", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 134781, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, "ingress": { "interface": { "name": "outside" @@ -3301,16 +3278,10 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:38.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "\u003cIP\u003e" }, "related": { "ip": [ @@ -3318,53 +3289,48 @@ "192.168.1.35" ] }, - "event": { - "severity": 6, - "duration": 68000000000, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:57.032454969Z", - "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-12-11T08:00:30.000Z", - "action": "flow-expiration", - "end": "2018-12-11T08:01:38.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", "cisco": { "asa": { - "destination_interface": "dmz", - "connection_id": "447234", "source_interface": "outside" } - } - }, - { - "process": { - "name": "\u003cIP\u003e" - }, - "log": { - "level": "informational" }, "destination": { - "port": 5679, "address": "192.168.1.34", - "ip": "192.168.1.34" + "ip": "192.168.1.34", + "port": 5679 }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106015", + "kind": "event", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "outcome": "failure", + "severity": 6, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" @@ -3379,9 +3345,8 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:38.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "\u003cIP\u003e" }, "related": { "ip": [ @@ -3389,48 +3354,48 @@ "192.168.1.34" ] }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco": { + "asa": { + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.1.34", + "ip": "192.168.1.34", + "port": 5679 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032455305Z", - "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "code": "106015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106015", + "kind": "event", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "outcome": "failure", + "severity": 6, "type": [ "info", "denied" - ], - "outcome": "failure" - }, - "cisco": { - "asa": { - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "\u003cIP\u003e" + ] }, "log": { "level": "informational" }, - "destination": { - "port": 5679, - "address": "192.168.1.34", - "ip": "192.168.1.34" - }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" @@ -3445,9 +3410,8 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:38.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "\u003cIP\u003e" }, "related": { "ip": [ @@ -3455,53 +3419,60 @@ "192.168.1.34" ] }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:39.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "rule_name": "dmz", + "source_interface": "dmz" + } + }, + "destination": { + "address": "192.168.0.12", + "ip": "192.168.0.12", + "port": 5000 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032455633Z", - "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "code": "106015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Dec 11 2018 08:01:39 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" - }, - "cisco": { - "asa": { - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "\u003cIP\u003e" + ] }, "log": { "level": "warning" }, - "destination": { - "port": 5000, - "address": "192.168.0.12", - "ip": "192.168.0.12" - }, - "source": { - "port": 5679, - "address": "192.168.1.34", - "ip": "192.168.1.34" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "dmz" @@ -3509,16 +3480,10 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:39.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "\u003cIP\u003e" }, "related": { "ip": [ @@ -3526,56 +3491,63 @@ "192.168.0.12" ] }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:57.032455963Z", - "original": "Dec 11 2018 08:01:39 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", - "code": "106023", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "192.168.1.34", + "ip": "192.168.1.34", + "port": 5679 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", "cisco": { "asa": { - "destination_interface": "outside", - "rule_name": "dmz", - "source_interface": "dmz" + "connection_id": "447237", + "destination_interface": "dmz", + "mapped_destination_ip": "192.168.1.34", + "mapped_destination_port": 65000, + "mapped_source_ip": "192.168.2.222", + "mapped_source_port": 1234, + "source_interface": "outside" } - } - }, - { - "process": { - "name": "\u003cIP\u003e" - }, - "log": { - "level": "informational" }, "destination": { - "port": 65000, "address": "192.168.1.34", - "ip": "192.168.1.34" + "ip": "192.168.1.34", + "port": 65000 }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, "ingress": { "interface": { "name": "outside" @@ -3583,16 +3555,10 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:53.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "\u003cIP\u003e" }, "related": { "ip": [ @@ -3600,58 +3566,63 @@ "192.168.1.34" ] }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032456380Z", - "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", "cisco": { "asa": { + "connection_id": "447237", "destination_interface": "dmz", - "mapped_source_port": 1234, "mapped_destination_ip": "192.168.1.34", + "mapped_destination_port": 65000, "mapped_source_ip": "192.168.2.222", - "connection_id": "447237", - "source_interface": "outside", - "mapped_destination_port": 65000 + "mapped_source_port": 1234, + "source_interface": "outside" } - } - }, - { - "process": { - "name": "\u003cIP\u003e" - }, - "log": { - "level": "informational" }, "destination": { - "port": 65000, "address": "192.168.1.34", - "ip": "192.168.1.34" + "ip": "192.168.1.34", + "port": 65000 }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, "ingress": { "interface": { "name": "outside" @@ -3659,16 +3630,10 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:53.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "\u003cIP\u003e" }, "related": { "ip": [ @@ -3676,58 +3641,64 @@ "192.168.1.34" ] }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032456719Z", - "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", "cisco": { "asa": { - "destination_interface": "dmz", - "mapped_source_port": 1234, - "mapped_destination_ip": "192.168.1.34", - "mapped_source_ip": "192.168.2.222", "connection_id": "447237", - "source_interface": "outside", - "mapped_destination_port": 65000 + "destination_interface": "dmz", + "source_interface": "outside" } - } - }, - { - "process": { - "name": "\u003cIP\u003e" - }, - "log": { - "level": "informational" }, "destination": { - "port": 1235, "address": "10.10.10.10", - "ip": "10.10.10.10" + "ip": "10.10.10.10", + "port": 1235 }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302014", + "duration": 86399000000000, + "end": "2018-12-11T08:01:53.000Z", + "kind": "event", + "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-12-10T08:01:54.000Z", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 11420, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, "ingress": { "interface": { "name": "outside" @@ -3735,16 +3706,10 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:53.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "\u003cIP\u003e" }, "related": { "ip": [ @@ -3752,56 +3717,63 @@ "10.10.10.10" ] }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2012-08-15T23:30:09.000Z", + "cisco": { + "asa": { + "connection_id": "40", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "10.44.2.2", + "ip": "10.44.2.2", + "port": 500 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "duration": 86399000000000, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:36:57.032457049Z", - "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-12-10T08:01:54.000Z", "action": "flow-expiration", - "end": "2018-12-11T08:01:53.000Z", "category": [ "network" ], + "code": "302016", + "duration": 122000000000, + "end": "2012-08-15T23:30:09.000Z", + "kind": "event", + "original": "Aug 15 2012 23:30:09 : %ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", + "severity": 6, + "start": "2012-08-15T23:28:07.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "asa": { - "destination_interface": "dmz", - "connection_id": "447237", - "source_interface": "outside" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 500, - "address": "10.44.2.2", - "ip": "10.44.2.2" - }, - "source": { - "port": 500, - "address": "10.44.4.4", - "ip": "10.44.4.4" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 1416, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, "ingress": { "interface": { "name": "outside" @@ -3809,16 +3781,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2012-08-15T23:30:09.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -3826,62 +3789,61 @@ "10.44.2.2" ] }, - "event": { - "severity": 6, - "duration": 122000000000, - "ingested": "2021-12-14T14:36:57.032457379Z", - "original": "Aug 15 2012 23:30:09 : %ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", - "code": "302016", - "kind": "event", - "start": "2012-08-15T23:28:07.000Z", - "action": "flow-expiration", - "end": "2012-08-15T23:30:09.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "10.44.4.4", + "ip": "10.44.4.4", + "port": 500 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:50:53.000Z", "cisco": { "asa": { - "destination_interface": "inside", - "connection_id": "40", - "source_interface": "outside" + "source_interface": "Mobile_Traffic" } - } - }, - { - "log": { - "level": "critical" }, "destination": { "address": "192.168.99.47", "ip": "192.168.99.47" }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, + "type": [ + "info", + "denied" + ] + }, + "host": { + "hostname": "GIFRCHN01" + }, + "log": { + "level": "critical" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:50:53.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -3891,61 +3853,60 @@ "192.168.99.47" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:51:01.000Z", + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic" + } + }, + "destination": { + "address": "192.168.99.57", + "ip": "192.168.99.57" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:57.032457784Z", - "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "asa": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "192.168.99.57", - "ip": "192.168.99.57" - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:51:01.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -3955,61 +3916,60 @@ "192.168.99.57" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:51:05.000Z", + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic" + } + }, + "destination": { + "address": "192.168.99.47", + "ip": "192.168.99.47" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:57.032458110Z", - "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "asa": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "192.168.99.47", - "ip": "192.168.99.47" - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:51:05.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -4019,61 +3979,60 @@ "192.168.99.47" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:51:05.000Z", + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic" + } + }, + "destination": { + "address": "192.168.99.47", + "ip": "192.168.99.47" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:57.032458446Z", - "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "asa": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "192.168.99.47", - "ip": "192.168.99.47" - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:51:05.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -4083,61 +4042,60 @@ "192.168.99.47" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:51:06.000Z", + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic" + } + }, + "destination": { + "address": "192.168.99.57", + "ip": "192.168.99.57" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:57.032458780Z", - "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "asa": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "192.168.99.57", - "ip": "192.168.99.57" - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:51:06.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -4147,61 +4105,60 @@ "192.168.99.57" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:51:17.000Z", + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic" + } + }, + "destination": { + "address": "192.168.99.57", + "ip": "192.168.99.57" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:57.032459115Z", - "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "asa": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "192.168.99.57", - "ip": "192.168.99.57" - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:51:17.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -4211,125 +4168,123 @@ "192.168.99.57" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:52:48.000Z", + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic" + } + }, + "destination": { + "address": "192.168.1.255", + "ip": "192.168.1.255" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:57.032459463Z", - "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "asa": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "192.168.1.255", - "ip": "192.168.1.255" - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:52:48.000Z", + "related": { + "hosts": [ + "GIFRCHN01" + ], + "ip": [ + "0.0.0.0", + "192.168.1.255" + ] + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:53:00.000Z", + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic" + } + }, + "destination": { + "address": "192.168.1.255", + "ip": "192.168.1.255" + }, "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "GIFRCHN01" - ], - "ip": [ - "0.0.0.0", - "192.168.1.255" - ] - }, - "host": { - "hostname": "GIFRCHN01" - }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:57.032459799Z", - "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "asa": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "192.168.1.255", - "ip": "192.168.1.255" - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:53:00.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -4339,71 +4294,71 @@ "192.168.1.255" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:53:01.000Z", + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "PERMIT_IN", + "source_interface": "outside" + } + }, + "destination": { + "address": "10.32.112.125", + "ip": "10.32.112.125", + "port": 25 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:36:57.032460127Z", - "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "asa": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "port": 25, - "address": "10.32.112.125", - "ip": "10.32.112.125" - }, - "source": { - "port": 24069, - "address": "192.168.2.95", - "ip": "192.168.2.95" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "outside" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2014-09-12T06:53:01.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -4414,63 +4369,63 @@ "10.32.112.125" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "192.168.2.95", + "ip": "192.168.2.95", + "port": 24069 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:53:02.000Z", + "cisco": { + "asa": { + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "Outside" + } + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:57.032460468Z", - "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "313001", + "kind": "event", + "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", + "outcome": "failure", + "severity": 3, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "asa": { - "destination_interface": "inside", - "rule_name": "PERMIT_IN", - "source_interface": "outside" - } - } - }, - { "log": { "level": "error" }, - "source": { - "address": "10.2.3.5", - "ip": "10.2.3.5" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" }, "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Outside" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:53:02.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -4479,48 +4434,47 @@ "10.2.3.5" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "10.2.3.5", + "ip": "10.2.3.5" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2015-01-14T13:16:13.000Z", + "cisco": { + "asa": { + "icmp_type": 0, + "source_interface": "inside" + } + }, + "destination": { + "address": "172.16.1.10", + "ip": "172.16.1.10" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 3, - "ingested": "2021-12-14T14:36:57.032460801Z", - "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", - "code": "313001", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "313004", + "kind": "event", + "original": "Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "asa": { - "icmp_type": 3, - "source_interface": "Outside", - "icmp_code": 3 - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "address": "172.16.1.10", - "ip": "172.16.1.10" - }, - "source": { - "address": "172.16.30.2", - "ip": "172.16.30.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" @@ -4535,69 +4489,70 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2015-01-14T13:16:13.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "172.16.30.2", "172.16.1.10" ] }, + "source": { + "address": "172.16.30.2", + "ip": "172.16.30.2" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", + "cisco": { + "asa": { + "destination_interface": "outside", + "mapped_destination_ip": "192.168.99.129", + "mapped_destination_port": 80, + "mapped_source_ip": "192.168.99.1", + "mapped_source_port": 7890, + "rule_name": "dynamic", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.99.129", + "domain": "bad.example.com", + "ip": "192.168.99.129", + "port": 80 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:57.032461136Z", - "original": "Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", - "code": "313004", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "338002", + "kind": "event", + "original": "Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com", + "outcome": "success", + "severity": 4, "type": [ "info", - "denied" - ], - "outcome": "failure" - }, - "cisco": { - "asa": { - "icmp_type": 0, - "source_interface": "inside" - } - } - }, - { - "server": { - "domain": "bad.example.com" + "allowed" + ] }, "log": { "level": "warning" }, - "destination": { - "address": "192.168.99.129", - "port": 80, - "domain": "bad.example.com", - "ip": "192.168.99.129" - }, - "source": { - "nat": { - "port": 7890, - "ip": "192.168.99.1" - }, - "address": "10.1.1.45", - "port": 6798, - "ip": "10.1.1.45" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -4605,16 +4560,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2015-01-14T13:16:14.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -4626,59 +4572,72 @@ "192.168.99.129" ] }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:57.032461467Z", - "original": "Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com", - "code": "338002", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "server": { + "domain": "bad.example.com" + }, + "source": { + "address": "10.1.1.45", + "ip": "10.1.1.45", + "nat": { + "ip": "192.168.99.1", + "port": 7890 + }, + "port": 6798 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", "cisco": { "asa": { - "destination_interface": "outside", - "mapped_source_port": 7890, - "mapped_destination_ip": "192.168.99.129", - "mapped_source_ip": "192.168.99.1", + "destination_interface": "outsidet", + "mapped_destination_ip": "192.168.2.223", + "mapped_destination_port": 80, + "mapped_source_ip": "10.2.1.1", + "mapped_source_port": 33340, "rule_name": "dynamic", "source_interface": "inside", - "mapped_destination_port": 80 + "threat_category": "Malware", + "threat_level": "very-high" } - } - }, - { - "log": { - "level": "warning" }, "destination": { - "port": 80, "address": "192.168.2.223", - "ip": "192.168.2.223" + "ip": "192.168.2.223", + "port": 80 }, - "source": { - "nat": { - "ip": "10.2.1.1" - }, - "address": "10.1.1.1", - "port": 33340, - "ip": "10.1.1.1" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "338004", + "kind": "event", + "original": "Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "outcome": "monitored", + "severity": 4, + "type": [ + "info" + ] + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outsidet" + } + }, "ingress": { "interface": { "name": "inside" @@ -4686,16 +4645,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outsidet" - } - } - }, - "@timestamp": "2015-01-14T13:16:14.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -4704,60 +4654,69 @@ "192.168.2.223" ] }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:57.032461793Z", - "original": "Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", - "code": "338004", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ], - "outcome": "monitored" + "source": { + "address": "10.1.1.1", + "ip": "10.1.1.1", + "nat": { + "ip": "10.2.1.1" + }, + "port": 33340 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", "cisco": { "asa": { "destination_interface": "outsidet", - "mapped_source_port": 33340, - "threat_level": "very-high", "mapped_destination_ip": "192.168.2.223", + "mapped_destination_port": 80, "mapped_source_ip": "10.2.1.1", + "mapped_source_port": 33340, "rule_name": "dynamic", "source_interface": "inside", - "mapped_destination_port": 80, - "threat_category": "Malware" + "threat_category": "Malware", + "threat_level": "very-high" } - } - }, - { - "log": { - "level": "warning" }, "destination": { - "port": 80, "address": "192.168.2.223", - "ip": "192.168.2.223" + "ip": "192.168.2.223", + "port": 80 }, - "source": { - "nat": { - "ip": "10.2.1.1" - }, - "address": "10.1.1.1", - "port": 33340, - "ip": "10.1.1.1" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "338008", + "kind": "event", + "original": "Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "outcome": "failure", + "severity": 4, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outsidet" + } + }, "ingress": { "interface": { "name": "inside" @@ -4765,16 +4724,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outsidet" - } - } - }, - "@timestamp": "2015-01-14T13:16:14.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -4783,168 +4733,158 @@ "192.168.2.223" ] }, + "source": { + "address": "10.1.1.1", + "ip": "10.1.1.1", + "nat": { + "ip": "10.2.1.1" + }, + "port": 33340 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2009-11-16T14:12:35.000Z", + "cisco": { + "asa": {} + }, + "destination": { + "address": "192.168.2.1", + "ip": "192.168.2.1" + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:36:57.032462124Z", - "original": "Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", - "code": "338008", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "304001", + "kind": "event", + "original": "Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app", + "outcome": "success", + "severity": 5, "type": [ "info", - "denied" - ], - "outcome": "failure" + "allowed" + ] }, - "cisco": { - "asa": { - "destination_interface": "outsidet", - "mapped_source_port": 33340, - "threat_level": "very-high", - "mapped_destination_ip": "192.168.2.223", - "mapped_source_ip": "10.2.1.1", - "rule_name": "dynamic", - "source_interface": "inside", - "mapped_destination_port": 80, - "threat_category": "Malware" - } - } - }, - { "log": { "level": "notification" }, - "destination": { - "address": "192.168.2.1", - "ip": "192.168.2.1" + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.30.30.30", + "192.168.2.1" + ] }, "source": { "address": "10.30.30.30", "ip": "10.30.30.30" }, - "url": { - "path": "/app", - "original": "/app" - }, "tags": [ "preserve_original_event" ], - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" + "url": { + "original": "/app", + "path": "/app" + } + }, + { + "@timestamp": "2009-11-16T14:12:36.000Z", + "cisco": { + "asa": {} + }, + "destination": { + "address": "192.168.2.32", + "ip": "192.168.2.32" }, - "@timestamp": "2009-11-16T14:12:35.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "10.30.30.30", - "192.168.2.1" - ] - }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032462461Z", - "original": "Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app", - "code": "304001", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "304001", + "kind": "event", + "original": "Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com", + "outcome": "success", + "severity": 5, "type": [ "info", "allowed" - ], - "outcome": "success" + ] }, - "cisco": { - "asa": {} - } - }, - { "log": { "level": "notification" }, - "destination": { - "address": "192.168.2.32", - "ip": "192.168.2.32" + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.5.111.32", + "192.168.2.32" + ] }, "source": { "address": "10.5.111.32", "ip": "10.5.111.32" }, - "url": { - "path": "", - "original": "http://example.com", - "scheme": "http", - "domain": "example.com" - }, "tags": [ "preserve_original_event" ], - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" + "url": { + "domain": "example.com", + "original": "http://example.com", + "path": "", + "scheme": "http" + } + }, + { + "@timestamp": "2009-11-16T14:12:37.000Z", + "cisco": { + "asa": { + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.0.19", + "ip": "192.168.0.19" }, - "@timestamp": "2009-11-16T14:12:36.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "10.5.111.32", - "192.168.2.32" - ] - }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032462815Z", - "original": "Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com", - "code": "304001", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "304002", + "kind": "event", + "original": "Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside", + "outcome": "failure", + "severity": 5, "type": [ "info", - "allowed" - ], - "outcome": "success" + "denied" + ] }, - "cisco": { - "asa": {} - } - }, - { "log": { "level": "notification" }, - "destination": { - "address": "192.168.0.19", - "ip": "192.168.0.19" - }, - "source": { - "address": "10.69.6.39", - "ip": "10.69.6.39" - }, - "url": { - "path": "/images/favicon.ico", - "extension": "ico", - "original": "http://www.example.net/images/favicon.ico", - "scheme": "http", - "domain": "www.example.net" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "ingress": { "interface": { @@ -4955,79 +4895,91 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2009-11-16T14:12:37.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "10.69.6.39", "192.168.0.19" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:36:57.032463152Z", - "original": "Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside", - "code": "304002", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "10.69.6.39", + "ip": "10.69.6.39" }, - "cisco": { - "asa": { - "source_interface": "inside" - } + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.example.net", + "extension": "ico", + "original": "http://www.example.net/images/favicon.ico", + "path": "/images/favicon.ico", + "scheme": "http" } }, { - "log": { - "level": "informational" + "@timestamp": "2021-01-13T19:12:37.000Z", + "cisco": { + "asa": { + "connection_id": "27215708", + "destination_interface": "vlan-42", + "mapped_destination_ip": "81.2.69.144", + "mapped_destination_port": 80, + "mapped_source_ip": "81.2.69.144", + "mapped_source_port": 49926, + "source_interface": "internet", + "source_username": "LOCAL\\username" + } }, "destination": { + "address": "81.2.69.144", "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", + "ip": "81.2.69.144", "port": 80, "user": { "name": "username" - }, - "ip": "81.2.69.144" + } }, - "source": { - "nat": { - "ip": "81.2.69.144" - }, - "address": "10.2.3.4", - "port": 49926, - "ip": "10.2.3.4" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (81.2.69.144/49926)(LOCAL\\username) to vlan-42:81.2.69.144/80 (81.2.69.144/80) (username)", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "inbound", "iana_number": "6", - "transport": "tcp", - "direction": "inbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "vlan-42" + } + }, "ingress": { "interface": { "name": "internet" @@ -5035,52 +4987,28 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "vlan-42" - } - } - }, - "@timestamp": "2021-01-13T19:12:37.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "username" - ], "ip": [ "10.2.3.4", "81.2.69.144" - ] - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:36:57.032463486Z", - "original": "Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (81.2.69.144/49926)(LOCAL\\username) to vlan-42:81.2.69.144/80 (81.2.69.144/80) (username)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" ], - "type": [ - "info" + "user": [ + "username" ] }, - "cisco": { - "asa": { - "destination_interface": "vlan-42", - "mapped_source_port": 49926, - "mapped_destination_ip": "81.2.69.144", - "mapped_source_ip": "81.2.69.144", - "connection_id": "27215708", - "source_interface": "internet", - "mapped_destination_port": 80, - "source_username": "LOCAL\\username" - } + "source": { + "address": "10.2.3.4", + "ip": "10.2.3.4", + "nat": { + "ip": "81.2.69.144" + }, + "port": 49926 }, + "tags": [ + "preserve_original_event" + ], "user": { "name": "username" } diff --git a/packages/cisco/data_stream/asa/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/data_stream/asa/elasticsearch/ingest_pipeline/default.yml index b5ce3fda640..d69265b5550 100644 --- a/packages/cisco/data_stream/asa/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco/data_stream/asa/elasticsearch/ingest_pipeline/default.yml @@ -1,9 +1,6 @@ --- description: "Pipeline for Cisco ASA logs" processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - rename: field: message target_field: event.original diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json index 2c8960a2313..a63a518b707 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -1,46 +1,67 @@ { "expected": [ { - "log": { - "level": "informational" + "@timestamp": "2020-04-17T14:08:08.000Z", + "cisco": { + "ftd": { + "connection_id": "110577675", + "destination_interface": "Inside", + "source_interface": "Outside", + "source_username": "(LOCAL\\Elastic)", + "termination_user": "zzzzzz" + } }, "destination": { - "port": 53, "address": "10.233.123.123", - "ip": "10.233.123.123" + "ip": "10.233.123.123", + "port": 53 }, - "source": { - "port": 53723, - "address": "10.123.123.123", - "ip": "10.123.123.123" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302016", + "duration": 0, + "end": "2020-04-17T14:08:08.000Z", + "kind": "event", + "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", + "severity": 6, + "start": "2020-04-17T14:08:08.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "SNL-ASA-VPN-A01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 148, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "Inside" + } + }, + "hostname": "SNL-ASA-VPN-A01", "ingress": { "interface": { "name": "Outside" } }, - "hostname": "SNL-ASA-VPN-A01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "Inside" - } - } - }, - "@timestamp": "2020-04-17T14:08:08.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -51,75 +72,71 @@ "10.233.123.123" ] }, - "host": { - "hostname": "SNL-ASA-VPN-A01" + "source": { + "address": "10.123.123.123", + "ip": "10.123.123.123", + "port": 53723 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-17T14:00:31.000Z", + "cisco": { + "ftd": { + "destination_interface": "Outside", + "rule_name": "Inside_access_in", + "source_interface": "Inside" + } + }, + "destination": { + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:04.974743379Z", - "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", - "code": "302016", - "kind": "event", - "start": "2020-04-17T14:08:08.000Z", - "action": "flow-expiration", - "end": "2020-04-17T14:08:08.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ - "connection", - "end" + "info", + "denied" ] }, - "cisco": { - "ftd": { - "source_username": "(LOCAL\\Elastic)", - "destination_interface": "Inside", - "termination_user": "zzzzzz", - "connection_id": "110577675", - "source_interface": "Outside" - } - } - }, - { + "host": { + "hostname": "SNL-ASA-VPN-A01" + }, "log": { "level": "warning" }, - "destination": { - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "source": { - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" }, "observer": { + "egress": { + "interface": { + "name": "Outside" + } + }, + "hostname": "SNL-ASA-VPN-A01", "ingress": { "interface": { "name": "Inside" } }, - "hostname": "SNL-ASA-VPN-A01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "Outside" - } - } - }, - "@timestamp": "2020-04-17T14:00:31.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -129,55 +146,59 @@ "10.123.123.123" ] }, - "host": { - "hostname": "SNL-ASA-VPN-A01" + "source": { + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-15T09:36:50.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": "acl_dmz", + "source_interface": "dmz" + } + }, + "destination": { + "address": "10.123.123.123", + "ip": "10.123.123.123", + "port": 53 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:04.974745470Z", - "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "Outside", - "rule_name": "Inside_access_in", - "source_interface": "Inside" - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "port": 53, - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "source": { - "port": 6316, - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "dmz" @@ -185,86 +206,80 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-15T09:36:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ "10.123.123.123" ] }, + "source": { + "address": "10.123.123.123", + "ip": "10.123.123.123", + "port": 6316 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-17T14:16:20.000Z", + "cisco": { + "ftd": { + "destination_interface": "Outside", + "rule_name": "Inside_access_in", + "source_interface": "Inside", + "source_username": "(LOCAL\\Elastic)" + } + }, + "destination": { + "address": "10.123.123.123", + "ip": "10.123.123.123", + "port": 57621 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:04.974745944Z", - "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "SNL-ASA-VPN-A01" }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "rule_name": "acl_dmz", - "source_interface": "dmz" - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "port": 57621, - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "source": { - "port": 57621, - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "Outside" + } + }, + "hostname": "SNL-ASA-VPN-A01", "ingress": { "interface": { "name": "Inside" } }, - "hostname": "SNL-ASA-VPN-A01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "Outside" - } - } - }, - "@timestamp": "2020-04-17T14:16:20.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -274,59 +289,54 @@ "10.123.123.123" ] }, - "host": { - "hostname": "SNL-ASA-VPN-A01" + "source": { + "address": "10.123.123.123", + "ip": "10.123.123.123", + "port": 57621 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-04-17T14:15:07.000Z", + "cisco": { + "ftd": {} + }, + "destination": { + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:04.974746366Z", - "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106017", + "kind": "event", + "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "SNL-ASA-VPN-A01" }, - "cisco": { - "ftd": { - "source_username": "(LOCAL\\Elastic)", - "destination_interface": "Outside", - "rule_name": "Inside_access_in", - "source_interface": "Inside" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "source": { - "address": "10.123.123.123", - "ip": "10.123.123.123" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "SNL-ASA-VPN-A01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-04-17T14:15:07.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "SNL-ASA-VPN-A01" @@ -335,28 +345,13 @@ "10.123.123.123" ] }, - "host": { - "hostname": "SNL-ASA-VPN-A01" - }, - "event": { - "severity": 2, - "ingested": "2021-12-14T14:37:04.974746770Z", - "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", - "code": "106017", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "10.123.123.123", + "ip": "10.123.123.123" }, - "cisco": { - "ftd": {} - } + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json index 0cf9c379306..703ec0f58c2 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json @@ -1,49 +1,63 @@ { "expected": [ { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } }, "destination": { - "port": 8256, "address": "192.168.98.44", - "ip": "192.168.98.44" + "ip": "192.168.98.44", + "port": 8256 }, - "source": { - "port": 1772, - "address": "172.31.98.44", - "ip": "172.31.98.44" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -54,75 +68,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1772 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11757", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1772, + "mapped_source_ip": "192.168.205.104", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1772 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575470184Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1772, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.205.104", - "ip": "192.168.205.104" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -133,80 +151,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.205.104", + "ip": "192.168.205.104", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11749", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1758 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575472447Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 67000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:49.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.205.104", - "connection_id": "11757", - "source_interface": "outside", - "mapped_destination_port": 1772 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1758, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.211.242", - "ip": "192.168.211.242" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 38110, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -217,81 +235,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "duration": 67000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575472839Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:49.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "192.168.211.242", + "ip": "192.168.211.242", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { + "connection_id": "11748", "destination_interface": "inside", - "connection_id": "11749", "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 1757, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 1757 }, - "source": { - "port": 80, - "address": "192.168.211.242", - "ip": "192.168.211.242" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302014", + "duration": 67000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:49.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 44010, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -302,81 +319,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.211.242", + "ip": "192.168.211.242", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11745", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1755 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 67000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575473181Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:49.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 67000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:49.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11748", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1755, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.185.90", - "ip": "192.168.185.90" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 7652, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -387,81 +403,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.185.90", + "ip": "192.168.185.90", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11744", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1754 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 67000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575473538Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:49.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 67000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:49.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11745", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1754, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.185.90", - "ip": "192.168.185.90" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 7062, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -472,81 +487,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.185.90", + "ip": "192.168.185.90", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11742", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1752 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 67000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575473870Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:49.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 68000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:48.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11744", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1752, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.160.197", - "ip": "192.168.160.197" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 5738, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -557,81 +571,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.160.197", + "ip": "192.168.160.197", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11738", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1749 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 68000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575474204Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:48.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 68000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:48.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11742", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1749, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.205.14", - "ip": "192.168.205.14" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 4176, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -642,81 +655,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.205.14", + "ip": "192.168.205.14", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11739", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1750 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 68000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575474541Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:48.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 68000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:48.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11738", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1750, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.33", - "ip": "192.168.124.33" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 1715, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -727,81 +739,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.33", + "ip": "192.168.124.33", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11731", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1747 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 68000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575474876Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:48.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 69000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:47.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11739", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1747, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.35.9", - "ip": "192.168.35.9" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 45595, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -812,81 +823,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.35.9", + "ip": "192.168.35.9", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11723", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1742 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 69000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575475220Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:47.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 69000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:47.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11731", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1742, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.211.242", - "ip": "192.168.211.242" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 27359, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -897,81 +907,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.211.242", + "ip": "192.168.211.242", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11715", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1741 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 69000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575475550Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:47.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 69000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:47.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11723", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1741, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.218.21", - "ip": "192.168.218.21" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 4457, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -982,81 +991,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.218.21", + "ip": "192.168.218.21", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11711", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1739 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 69000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575476070Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:47.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 69000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:47.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11715", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1739, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.198.27", - "ip": "192.168.198.27" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 26709, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1067,81 +1075,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.198.27", + "ip": "192.168.198.27", + "port": 80 }, - "event": { - "severity": 6, - "duration": 69000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575476529Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:47.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11712", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1740 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 69000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:47.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11711", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1740, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.198.27", - "ip": "192.168.198.27" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 22097, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1152,81 +1159,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.198.27", + "ip": "192.168.198.27", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11708", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1738 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 69000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575476868Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:47.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 70000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:46.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11712", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1738, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.202.211", - "ip": "192.168.202.211" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 2209, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1237,81 +1243,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.202.211", + "ip": "192.168.202.211", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11746", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1756 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 70000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575477202Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:46.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 67000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:49.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11708", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1756, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.15", - "ip": "192.168.124.15" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 10404, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1322,81 +1327,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "duration": 67000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575477534Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:49.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "192.168.124.15", + "ip": "192.168.124.15", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { + "connection_id": "11706", "destination_interface": "inside", - "connection_id": "11746", "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 1737, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 1737 }, - "source": { - "port": 80, - "address": "192.168.124.15", - "ip": "192.168.124.15" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302014", + "duration": 70000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:46.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 123694, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1407,81 +1411,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.15", + "ip": "192.168.124.15", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11702", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1736 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 70000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575477996Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:46.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 71000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:33:45.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11706", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1736, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.209.247", - "ip": "192.168.209.247" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 35835, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1492,81 +1495,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.209.247", + "ip": "192.168.209.247", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11753", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1765 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 71000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575478333Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:33:45.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 30000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", + "reason": "SYN Timeout", + "severity": 6, + "start": "2018-10-10T12:34:26.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11702", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1765, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.35.162", - "ip": "192.168.35.162" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 0, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1577,80 +1579,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.35.162", + "ip": "192.168.35.162", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 1188 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 30000000000, - "reason": "SYN Timeout", - "ingested": "2021-12-14T14:37:05.575478694Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:26.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11753", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1188, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1661,75 +1656,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11758", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.80.32", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575479032Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.80.32", - "ip": "192.168.80.32" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1740,80 +1739,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.80.32", + "ip": "192.168.80.32", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11758", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575479368Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.80.32", - "connection_id": "11758", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.80.32", - "ip": "192.168.80.32" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 148, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1824,80 +1822,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.80.32", + "ip": "192.168.80.32", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11759", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.252.6", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575479696Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11758", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.252.6", - "ip": "192.168.252.6" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "network": { + "direction": "outbound", + "iana_number": "17", + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1908,80 +1905,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.252.6", + "ip": "192.168.252.6", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11759", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575480029Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.252.6", - "connection_id": "11759", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.252.6", - "ip": "192.168.252.6" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 164, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -1992,79 +1988,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.252.6", + "ip": "192.168.252.6", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8257 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575480466Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11759", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8257, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1773, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2075,75 +2065,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1773 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11760", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1773, + "mapped_source_ip": "192.168.252.226", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1773 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575480818Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1773, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.252.226", - "ip": "192.168.252.226" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2154,79 +2148,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.252.226", + "ip": "192.168.252.226", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8258 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575481174Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.252.226", - "connection_id": "11760", - "source_interface": "outside", - "mapped_destination_port": 1773 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8258, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1774, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2237,75 +2225,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1774 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11761", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1774, + "mapped_source_ip": "192.168.252.226", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1774 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575481525Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1774, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.252.226", - "ip": "192.168.252.226" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2316,80 +2308,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.252.226", + "ip": "192.168.252.226", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11762", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.238.126", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575481852Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.252.226", - "connection_id": "11761", - "source_interface": "outside", - "mapped_destination_port": 1774 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.238.126", - "ip": "192.168.238.126" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2400,80 +2391,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575482184Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.238.126", + "ip": "192.168.238.126", + "port": 53 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { + "connection_id": "11763", "destination_interface": "inside", - "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.238.126", - "connection_id": "11762", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.93.51", + "mapped_source_port": 53, + "source_interface": "outside" + } }, "destination": { - "port": 56132, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 56132 }, - "source": { - "port": 53, - "address": "192.168.93.51", - "ip": "192.168.93.51" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2484,80 +2474,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.93.51", + "ip": "192.168.93.51", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11762", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575482519Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.93.51", - "connection_id": "11763", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.238.126", - "ip": "192.168.238.126" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 111, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2568,80 +2557,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.238.126", + "ip": "192.168.238.126", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11763", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575482851Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11762", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.93.51", - "ip": "192.168.93.51" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 237, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2652,79 +2640,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575483196Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "192.168.93.51", + "ip": "192.168.93.51", + "port": 53 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { - "destination_interface": "inside", - "connection_id": "11763", - "source_interface": "outside" + "destination_interface": "outside", + "source_interface": "inside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 8259, "address": "192.168.98.44", - "ip": "192.168.98.44" + "ip": "192.168.98.44", + "port": 8259 }, - "source": { - "port": 1775, - "address": "172.31.98.44", - "ip": "172.31.98.44" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2735,75 +2717,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1775 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11764", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1775, + "mapped_source_ip": "192.168.225.103", + "mapped_source_port": 443, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1775 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575483541Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1775, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 443, - "address": "192.168.225.103", - "ip": "192.168.225.103" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2814,79 +2800,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.225.103", + "ip": "192.168.225.103", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 1189 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575483875Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 443, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.225.103", - "connection_id": "11764", - "source_interface": "outside", - "mapped_destination_port": 1775 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1189, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2897,75 +2877,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11772", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.240.126", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575484308Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.240.126", - "ip": "192.168.240.126" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -2976,80 +2960,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.240.126", + "ip": "192.168.240.126", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11773", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.44.45", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575484639Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.240.126", - "connection_id": "11772", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.44.45", - "ip": "192.168.44.45" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3060,80 +3043,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.44.45", + "ip": "192.168.44.45", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11772", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575484986Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.44.45", - "connection_id": "11773", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.240.126", - "ip": "192.168.240.126" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 87, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3144,80 +3126,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.240.126", + "ip": "192.168.240.126", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11773", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575485333Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11772", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.44.45", - "ip": "192.168.44.45" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 221, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3228,79 +3209,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575485655Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "192.168.44.45", + "ip": "192.168.44.45", + "port": 53 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { - "destination_interface": "inside", - "connection_id": "11773", - "source_interface": "outside" + "destination_interface": "outside", + "source_interface": "inside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 8265, "address": "192.168.98.44", - "ip": "192.168.98.44" + "ip": "192.168.98.44", + "port": 8265 }, - "source": { - "port": 1452, - "address": "172.31.98.44", - "ip": "172.31.98.44" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3311,75 +3286,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1452 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11774", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1452, + "mapped_source_ip": "192.168.179.219", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1452 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575485987Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1452, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.179.219", - "ip": "192.168.179.219" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3390,80 +3369,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.179.219", + "ip": "192.168.179.219", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11775", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.157.232", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575486319Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.179.219", - "connection_id": "11774", - "source_interface": "outside", - "mapped_destination_port": 1452 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.157.232", - "ip": "192.168.157.232" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3474,80 +3452,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.157.232", + "ip": "192.168.157.232", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11776", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.178.133", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575486654Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.157.232", - "connection_id": "11775", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.178.133", - "ip": "192.168.178.133" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3558,80 +3535,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.178.133", + "ip": "192.168.178.133", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11775", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575486981Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.178.133", - "connection_id": "11776", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.157.232", - "ip": "192.168.157.232" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 101, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3642,80 +3618,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.157.232", + "ip": "192.168.157.232", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11776", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575487315Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11775", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.178.133", - "ip": "192.168.178.133" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 126, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3726,79 +3701,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.178.133", + "ip": "192.168.178.133", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8266 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575487650Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11776", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8266, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1453, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "6", - "transport": "tcp" + "network": { + "iana_number": "6", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3809,75 +3778,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1453 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11777", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1453, + "mapped_source_ip": "192.168.133.112", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1453 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575487983Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1453, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.133.112", - "ip": "192.168.133.112" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3888,80 +3861,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.133.112", + "ip": "192.168.133.112", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11777", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1453 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575488465Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.133.112", - "connection_id": "11777", - "source_interface": "outside", - "mapped_destination_port": 1453 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1453, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.133.112", - "ip": "192.168.133.112" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 862, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -3972,81 +3945,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.133.112", + "ip": "192.168.133.112", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11779", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.204.197", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575488807Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11777", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.204.197", - "ip": "192.168.204.197" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4057,80 +4028,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.204.197", + "ip": "192.168.204.197", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11778", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575489137Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.204.197", - "connection_id": "11779", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.157.232", - "ip": "192.168.157.232" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 104, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4141,80 +4111,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.157.232", + "ip": "192.168.157.232", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11779", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575489475Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11778", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.204.197", - "ip": "192.168.204.197" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 176, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4225,79 +4194,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.204.197", + "ip": "192.168.204.197", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8267 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575489958Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11779", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8267, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1454, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4308,75 +4271,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1454 }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575490787Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267", - "code": "305011", - "kind": "event", + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11780", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1454, + "mapped_source_ip": "192.168.128.3", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1454 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1454, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.128.3", - "ip": "192.168.128.3" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4387,79 +4354,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.128.3", + "ip": "192.168.128.3", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8268 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575491150Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.128.3", - "connection_id": "11780", - "source_interface": "outside", - "mapped_destination_port": 1454 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8268, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1455, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4470,75 +4431,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1455 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11781", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1455, + "mapped_source_ip": "192.168.128.3", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1455 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575491492Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1455, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.128.3", - "ip": "192.168.128.3" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4549,79 +4514,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.128.3", + "ip": "192.168.128.3", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8269 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575491830Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.128.3", - "connection_id": "11781", - "source_interface": "outside", - "mapped_destination_port": 1455 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8269, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1456, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4632,75 +4591,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1456 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11782", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1456, + "mapped_source_ip": "192.168.128.3", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1456 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575492176Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1456, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.128.3", - "ip": "192.168.128.3" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4711,80 +4674,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.128.3", + "ip": "192.168.128.3", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11783", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.100.4", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575492508Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.128.3", - "connection_id": "11782", - "source_interface": "outside", - "mapped_destination_port": 1456 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.100.4", - "ip": "192.168.100.4" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4795,80 +4757,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.100.4", + "ip": "192.168.100.4", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11783", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575492839Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.100.4", - "connection_id": "11783", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.100.4", - "ip": "192.168.100.4" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 104, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4879,79 +4840,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.100.4", + "ip": "192.168.100.4", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8270 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575493183Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11783", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8270, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1457, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -4962,75 +4917,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1457 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11784", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1457, + "mapped_source_ip": "192.168.198.40", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1457 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575493517Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1457, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.198.40", - "ip": "192.168.198.40" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5041,79 +5000,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.198.40", + "ip": "192.168.198.40", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8271 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575493861Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.198.40", - "connection_id": "11784", - "source_interface": "outside", - "mapped_destination_port": 1457 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8271, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1458, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5124,75 +5077,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575494242Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1458 }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } + "tags": [ + "preserve_original_event" + ] }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11785", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1458, + "mapped_source_ip": "192.168.198.40", + "mapped_source_port": 80, + "source_interface": "outside" + } }, "destination": { - "port": 1458, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 1458 }, - "source": { - "port": 80, - "address": "192.168.198.40", - "ip": "192.168.198.40" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5203,80 +5160,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.198.40", + "ip": "192.168.198.40", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11786", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.1.107", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575494581Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.198.40", - "connection_id": "11785", - "source_interface": "outside", - "mapped_destination_port": 1458 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.1.107", - "ip": "192.168.1.107" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5287,80 +5243,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.1.107", + "ip": "192.168.1.107", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11784", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1457 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575494918Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.1.107", - "connection_id": "11786", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1457, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.198.40", - "ip": "192.168.198.40" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 593, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5371,80 +5327,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.198.40", + "ip": "192.168.198.40", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8272 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575495249Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11784", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8272, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1459, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5455,75 +5404,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1459 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11787", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1459, + "mapped_source_ip": "192.168.198.40", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1459 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575495575Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1459, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.198.40", - "ip": "192.168.198.40" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5534,80 +5487,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.198.40", + "ip": "192.168.198.40", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11786", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575495912Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.198.40", - "connection_id": "11787", - "source_interface": "outside", - "mapped_destination_port": 1459 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.1.107", - "ip": "192.168.1.107" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 375, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5618,79 +5570,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.1.107", + "ip": "192.168.1.107", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8273 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575496235Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11786", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8273, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1460, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "inside" + "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { - "name": "outside" + "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5701,75 +5647,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1460 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11788", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1460, + "mapped_source_ip": "192.168.192.44", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1460 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575496570Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1460, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.192.44", - "ip": "192.168.192.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5780,36 +5730,42 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.192.44", + "ip": "192.168.192.44", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575496903Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.192.44", - "connection_id": "11788", - "source_interface": "outside", - "mapped_destination_port": 1460 - } - } - }, - { + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, "observer": { "hostname": "localhost", "product": "asa", @@ -5820,86 +5776,73 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } }, - "host": { - "hostname": "localhost" + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575497240Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8277, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1385, - "address": "172.31.156.80", - "ip": "172.31.156.80" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5910,75 +5853,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.156.80", + "ip": "172.31.156.80", + "port": 1385 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11797", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.156.80", + "mapped_destination_port": 1385, + "mapped_source_ip": "192.168.19.254", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.156.80", + "ip": "172.31.156.80", + "port": 1385 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575497570Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1385, - "address": "172.31.156.80", - "ip": "172.31.156.80" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -5989,36 +5936,42 @@ "172.31.156.80" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575497895Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.156.80", - "mapped_source_ip": "192.168.19.254", - "connection_id": "11797", - "source_interface": "outside", - "mapped_destination_port": 1385 - } - } - }, - { + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, "observer": { "hostname": "localhost", "product": "asa", @@ -6029,43 +5982,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575498222Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -6076,43 +6028,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575498671Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -6123,43 +6074,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575499006Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -6170,43 +6120,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575499337Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -6217,43 +6166,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575499674Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -6264,87 +6212,80 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11564", + "destination_interface": "inside", + "source_interface": "outside" + } }, - "host": { - "hostname": "localhost" + "destination": { + "address": "172.31.156.80", + "ip": "172.31.156.80", + "port": 1382 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575500004Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30", - "code": "305012", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 325000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:29:31.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": {} - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1382, - "address": "172.31.156.80", - "ip": "172.31.156.80" - }, - "source": { - "port": 80, - "address": "192.168.115.46", - "ip": "192.168.115.46" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 575, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6355,81 +6296,80 @@ "172.31.156.80" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.115.46", + "ip": "192.168.115.46", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11797", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.156.80", + "ip": "172.31.156.80", + "port": 1385 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 325000000000, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575500333Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:29:31.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11564", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1385, - "address": "172.31.156.80", - "ip": "172.31.156.80" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 5391, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6440,80 +6380,73 @@ "172.31.156.80" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8278 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575500682Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11797", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8278, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1386, - "address": "172.31.156.80", - "ip": "172.31.156.80" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6524,75 +6457,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575501045Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "172.31.156.80", + "ip": "172.31.156.80", + "port": 1386 }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } + "tags": [ + "preserve_original_event" + ] }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11798", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.156.80", + "mapped_destination_port": 1386, + "mapped_source_ip": "192.168.115.46", + "mapped_source_port": 80, + "source_interface": "outside" + } }, "destination": { - "port": 1386, "address": "172.31.156.80", - "ip": "172.31.156.80" + "ip": "172.31.156.80", + "port": 1386 }, - "source": { - "port": 80, - "address": "192.168.115.46", - "ip": "192.168.115.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6603,79 +6540,76 @@ "172.31.156.80" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.115.46", + "ip": "192.168.115.46", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575501387Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.156.80", - "mapped_source_ip": "192.168.115.46", - "connection_id": "11798", - "source_interface": "outside", - "mapped_destination_port": 1386 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6686,77 +6620,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575501718Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6767,77 +6700,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575502049Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { "destination_interface": "inside", "rule_name": "inbound", "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "warning" }, "destination": { - "port": 8277, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 8277 }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" + "ecs": { + "version": "1.12.0" }, - "tags": [ - "preserve_original_event" - ], - "network": { + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, + "type": [ + "info", + "denied" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "warning" + }, + "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6848,77 +6780,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575502381Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -6929,77 +6860,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575502711Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7010,77 +6940,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575503070Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7091,77 +7020,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575503484Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7172,77 +7100,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575503867Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7253,77 +7180,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575504198Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7334,77 +7260,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575504528Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { "destination_interface": "inside", "rule_name": "inbound", "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "warning" }, "destination": { - "port": 8277, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 8277 }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, + "type": [ + "info", + "denied" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7415,77 +7340,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575504855Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7496,77 +7420,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575505191Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7577,77 +7500,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575505532Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.19.254", - "ip": "192.168.19.254" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7658,77 +7580,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.19.254", + "ip": "192.168.19.254", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8279 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575505889Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279", + "severity": 6, "type": [ - "info", - "denied" - ], - "outcome": "failure" + "info" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8279, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1275, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7739,75 +7657,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1275 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11799", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1275, + "mapped_source_ip": "192.168.205.99", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1275 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575506224Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1275, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.205.99", - "ip": "192.168.205.99" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7818,79 +7740,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.205.99", + "ip": "192.168.205.99", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 1190 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575506563Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.205.99", - "connection_id": "11799", - "source_interface": "outside", - "mapped_destination_port": 1275 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1190, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -7901,159 +7817,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575506904Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } + "tags": [ + "preserve_original_event" + ] }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11800", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.14.30", + "mapped_source_port": 53, + "source_interface": "outside" + } }, "destination": { - "port": 56132, "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.14.30", - "ip": "192.168.14.30" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "17", - "transport": "udp", - "direction": "outbound" - }, - "observer": { - "ingress": { - "interface": { - "name": "outside" - } - }, - "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "ip": "172.31.98.44", + "port": 56132 }, - "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "localhost" - ], - "ip": [ - "192.168.14.30", - "172.31.98.44" - ] - }, - "host": { - "hostname": "localhost" - }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575507232Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.14.30", - "connection_id": "11800", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.14.30", - "ip": "192.168.14.30" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 373, + "direction": "outbound", "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -8064,166 +7900,164 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.14.30", + "ip": "192.168.14.30", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11800", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575507569Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11800", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.252.210", - "ip": "192.168.252.210" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 373, "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.252.210", + "192.168.14.30", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.14.30", + "ip": "192.168.14.30", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11801", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.252.210", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575507900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.252.210", - "connection_id": "11801", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.252.210", - "ip": "192.168.252.210" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 207, + "direction": "outbound", "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, - "related": { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { "hosts": [ "localhost" ], @@ -8232,404 +8066,399 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.252.210", + "ip": "192.168.252.210", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11801", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575508241Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11801", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8280, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1276, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "iana_number": "6", - "transport": "tcp" + "bytes": 207, + "iana_number": "17", + "transport": "udp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.252.210", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.252.210", + "ip": "192.168.252.210", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8280 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575508576Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1276, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1276 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11802", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1276, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1276 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575508913Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11802", - "source_interface": "outside", - "mapped_destination_port": 1276 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8281, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575509267Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { "destination_interface": "outside", "source_interface": "inside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 1277, - "address": "172.31.98.44", - "ip": "172.31.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8281 }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1277 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11803", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1277, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575509604Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11803", - "source_interface": "outside", - "mapped_destination_port": 1277 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1276, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 12853, + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -8640,243 +8469,240 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11802", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1276 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575509952Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11802", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8282, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1278, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 12853, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8282 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575510281Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1278, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1278 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11804", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1278, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1278 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575510612Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11804", - "source_interface": "outside", - "mapped_destination_port": 1278 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1277, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 5291, + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -8887,243 +8713,240 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11803", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1277 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575511091Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11803", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8283, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1279, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 5291, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8283 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575512041Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1279, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } - }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1279 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11805", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1279, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1279 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575512413Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11805", - "source_interface": "outside", - "mapped_destination_port": 1279 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1278, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 965, + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -9134,81 +8957,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11804", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1278 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575512756Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11804", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1279, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 8605, + "bytes": 965, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -9219,243 +9041,240 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11805", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1279 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575513090Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11805", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8284, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1280, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 8605, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8284 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575513417Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1280, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1280 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11806", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1280, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1280 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575513909Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11806", - "source_interface": "outside", - "mapped_destination_port": 1280 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1280, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 3428, + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -9466,242 +9285,157 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11806", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1280 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575514241Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11806", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8285, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1281, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 3428, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575514577Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { "destination_interface": "outside", "source_interface": "inside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 1281, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "6", - "transport": "tcp", - "direction": "outbound" - }, - "observer": { - "ingress": { - "interface": { - "name": "outside" - } - }, - "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8285 }, - "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "localhost" - ], - "ip": [ - "192.168.98.165", - "172.31.98.44" - ] - }, - "host": { - "hostname": "localhost" - }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575514914Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11807", - "source_interface": "outside", - "mapped_destination_port": 1281 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8286, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1282, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -9712,75 +9446,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1281 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11807", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1281, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1281 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575515323Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1282, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -9791,79 +9529,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8286 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575515686Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11808", - "source_interface": "outside", - "mapped_destination_port": 1282 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8287, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1283, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -9874,75 +9606,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575516037Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1282 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { - "destination_interface": "outside", - "source_interface": "inside" + "connection_id": "11808", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1282, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 1283, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 1282 }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -9953,79 +9689,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8287 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575516374Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11809", - "source_interface": "outside", - "mapped_destination_port": 1283 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8288, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1284, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10036,75 +9766,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1283 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11809", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1283, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1283 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575516712Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1284, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10115,165 +9849,156 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8288 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575517048Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11810", - "source_interface": "outside", - "mapped_destination_port": 1284 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1281, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 2028, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1284 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11810", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1284, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1284 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575517379Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11807", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1282, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 1085, + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10284,81 +10009,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11807", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1281 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575517707Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11808", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1283, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 868, + "bytes": 2028, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10369,159 +10093,164 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11808", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1282 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575518036Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11809", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8289, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1285, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "6", - "transport": "tcp" + "network": { + "bytes": 1085, + "iana_number": "6", + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11809", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1283 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575518368Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289", - "code": "305011", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1285, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 868, "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10532,79 +10261,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8289 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575518704Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11811", - "source_interface": "outside", - "mapped_destination_port": 1285 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8290, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1286, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10615,75 +10338,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1285 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11811", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1285, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1285 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575519048Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1286, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10694,243 +10421,240 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8290 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575519398Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11812", - "source_interface": "outside", - "mapped_destination_port": 1286 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1284, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 4439, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1286 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11812", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1286, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1286 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575519729Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11810", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8291, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1287, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11810", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1284 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575520057Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291", - "code": "305011", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1287, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 4439, "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -10941,165 +10665,156 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575520383Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11813", - "source_interface": "outside", - "mapped_destination_port": 1287 + "destination_interface": "outside", + "source_interface": "inside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 1285, - "address": "172.31.98.44", - "ip": "172.31.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8291 }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 914, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1287 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11813", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1287, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1287 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575520713Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11811", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1286, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 871, + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -11110,495 +10825,573 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11811", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1285 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575521045Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11812", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.100.107", - "ip": "192.168.100.107" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "bytes": 914, + "iana_number": "6", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.100.107", + "192.168.98.165", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575521400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { + "connection_id": "11812", "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.100.107", - "connection_id": "11814", - "source_interface": "outside", - "mapped_destination_port": 56132 + "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 8292, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1288, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 1286 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 871, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11814", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.100.107", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575521733Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1288, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "direction": "outbound", + "iana_number": "17", + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", + "192.168.100.107", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.100.107", + "ip": "192.168.100.107", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8292 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575522067Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11815", - "source_interface": "outside", - "mapped_destination_port": 1288 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.100.107", - "ip": "192.168.100.107" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 384, - "iana_number": "17", - "transport": "udp" + "iana_number": "6", + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.100.107", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575522394Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1288 }, - "cisco": { - "ftd": { + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11815", "destination_interface": "inside", - "connection_id": "11814", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1288, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 56132, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 1288 }, - "source": { - "port": 53, - "address": "192.168.104.8", - "ip": "192.168.104.8" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { - "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "direction": "outbound", + "iana_number": "6", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.104.8", + "192.168.98.165", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11814", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575522743Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 384, + "iana_number": "17", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "192.168.100.107", + "172.31.98.44" + ] + }, + "source": { + "address": "192.168.100.107", + "ip": "192.168.100.107", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { + "connection_id": "11816", "destination_interface": "inside", - "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, "mapped_source_ip": "192.168.104.8", - "connection_id": "11816", - "source_interface": "outside", - "mapped_destination_port": 56132 + "mapped_source_port": 53, + "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 56132, "address": "172.31.98.44", - "ip": "172.31.98.44" + "ip": "172.31.98.44", + "port": 56132 }, - "source": { - "port": 53, - "address": "192.168.104.8", - "ip": "192.168.104.8" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 94, + "direction": "outbound", "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -11609,79 +11402,156 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.104.8", + "ip": "192.168.104.8", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11816", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575523075Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11816", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8293, - "address": "192.168.98.44", - "ip": "192.168.98.44" + "network": { + "bytes": 94, + "iana_number": "17", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "192.168.104.8", + "172.31.98.44" + ] }, "source": { - "port": 1289, - "address": "172.31.98.44", - "ip": "172.31.98.44" + "address": "192.168.104.8", + "ip": "192.168.104.8", + "port": 53 }, "tags": [ "preserve_original_event" - ], + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8293 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -11692,75 +11562,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1289 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11817", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1289, + "mapped_source_ip": "192.168.123.191", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1289 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575523424Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1289, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.123.191", - "ip": "192.168.123.191" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -11771,80 +11645,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.123.191", + "ip": "192.168.123.191", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11815", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1288 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575523760Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.123.191", - "connection_id": "11817", - "source_interface": "outside", - "mapped_destination_port": 1289 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1288, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 945, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -11855,81 +11729,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11813", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1287 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575524093Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11815", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1287, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 13284, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -11940,81 +11813,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11818", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.100.4", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575524413Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11813", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.100.4", - "ip": "192.168.100.4" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12025,80 +11896,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575524745Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.100.4", + "ip": "192.168.100.4", + "port": 53 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.100.4", "connection_id": "11818", - "source_interface": "outside", - "mapped_destination_port": 56132 + "destination_interface": "inside", + "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.100.4", - "ip": "192.168.100.4" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 104, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12109,79 +11979,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.100.4", + "ip": "192.168.100.4", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8294 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575525072Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11818", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8294, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1290, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12192,75 +12056,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1290 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11819", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1290, + "mapped_source_ip": "192.168.198.25", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1290 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575525405Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1290, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.198.25", - "ip": "192.168.198.25" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12271,80 +12139,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.198.25", + "ip": "192.168.198.25", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "9828", + "destination_interface": "NP Identity Ifc", + "source_interface": "outside" + } + }, + "destination": { + "address": "255.255.255.255", + "ip": "255.255.255.255", + "port": 68 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575525751Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 3526000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", + "severity": 6, + "start": "2018-10-10T11:36:10.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.198.25", - "connection_id": "11819", - "source_interface": "outside", - "mapped_destination_port": 1290 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" - }, - "destination": { - "port": 68, - "address": "255.255.255.255", - "ip": "255.255.255.255" - }, - "source": { - "port": 67, - "address": "192.168.48.1", - "ip": "192.168.48.1" - }, - "tags": [ - "preserve_original_event" - ], + }, "network": { "bytes": 58512, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "NP Identity Ifc" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "NP Identity Ifc" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12355,36 +12222,42 @@ "255.255.255.255" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.48.1", + "ip": "192.168.48.1", + "port": 67 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 3526000000000, - "ingested": "2021-12-14T14:37:05.575526081Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", - "code": "302016", - "kind": "event", - "start": "2018-10-10T11:36:10.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "NP Identity Ifc", - "connection_id": "9828", - "source_interface": "outside" - } - } - }, - { + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, "observer": { "hostname": "localhost", "product": "asa", @@ -12395,87 +12268,79 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11820", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.3.39", + "mapped_source_port": 53, + "source_interface": "outside" + } }, - "host": { - "hostname": "localhost" + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575526416Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.3.39", - "ip": "192.168.3.39" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12486,164 +12351,245 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.3.39", + "ip": "192.168.3.39", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11821", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.162.30", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575526745Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, + "network": { + "direction": "outbound", + "iana_number": "17", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "192.168.162.30", + "172.31.98.44" + ] + }, + "source": { + "address": "192.168.162.30", + "ip": "192.168.162.30", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.3.39", "connection_id": "11820", - "source_interface": "outside", - "mapped_destination_port": 56132 + "destination_interface": "inside", + "source_interface": "outside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.162.30", - "ip": "192.168.162.30" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 168, "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.162.30", + "192.168.3.39", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.3.39", + "ip": "192.168.3.39", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11822", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.3.39", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575527096Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.162.30", - "connection_id": "11821", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.3.39", - "ip": "192.168.3.39" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 168, + "direction": "outbound", "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12654,332 +12600,328 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.3.39", + "ip": "192.168.3.39", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11821", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575527427Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11820", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.3.39", - "ip": "192.168.3.39" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 198, "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.3.39", + "192.168.162.30", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.162.30", + "ip": "192.168.162.30", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11822", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575527758Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.3.39", - "connection_id": "11822", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { - "level": "informational" - }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.162.30", - "ip": "192.168.162.30" + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 198, + "bytes": 150, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.162.30", + "192.168.3.39", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.3.39", + "ip": "192.168.3.39", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11823", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.48.186", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575528092Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11821", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.3.39", - "ip": "192.168.3.39" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 150, + "direction": "outbound", "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.3.39", + "192.168.48.186", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.48.186", + "ip": "192.168.48.186", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11823", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575528437Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11822", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.48.186", - "ip": "192.168.48.186" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 84, "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -12990,326 +12932,322 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.48.186", + "ip": "192.168.48.186", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8295 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575528773Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.48.186", - "connection_id": "11823", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.48.186", - "ip": "192.168.48.186" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 84, - "iana_number": "17", - "transport": "udp" + "iana_number": "6", + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.48.186", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1291 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11824", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1291, + "mapped_source_ip": "192.168.54.190", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1291 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575529109Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11823", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8295, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1291, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.54.190", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.54.190", + "ip": "192.168.54.190", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11825", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.254.94", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575529440Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1291, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.54.190", - "ip": "192.168.54.190" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "direction": "outbound", + "iana_number": "17", + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.54.190", + "192.168.254.94", "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.254.94", + "ip": "192.168.254.94", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11825", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575529766Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.54.190", - "connection_id": "11824", - "source_interface": "outside", - "mapped_destination_port": 1291 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.254.94", - "ip": "192.168.254.94" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 188, "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -13320,566 +13258,560 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.254.94", + "ip": "192.168.254.94", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8296 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575530284Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.254.94", - "connection_id": "11825", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.254.94", - "ip": "192.168.254.94" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 188, - "iana_number": "17", - "transport": "udp" + "iana_number": "6", + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.254.94", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1292 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11826", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1292, + "mapped_source_ip": "192.168.54.190", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1292 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575530674Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11825", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8296, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1292, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.54.190", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.54.190", + "ip": "192.168.54.190", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8297 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575530999Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1292, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.54.190", - "ip": "192.168.54.190" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.54.190", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1293 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11827", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1293, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1293 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575531334Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.54.190", - "connection_id": "11826", - "source_interface": "outside", - "mapped_destination_port": 1292 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8297, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1293, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8298 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575531665Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1293, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1294 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11828", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1294, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1294 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575531999Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11827", - "source_interface": "outside", - "mapped_destination_port": 1293 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8298, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1294, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11827", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1293 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575532321Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298", - "code": "305011", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], - "type": [ - "info" - ] - }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1294, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "bytes": 5964, "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -13890,326 +13822,233 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8299 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575533137Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11828", - "source_interface": "outside", - "mapped_destination_port": 1294 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1293, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "bytes": 5964, "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "inside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "192.168.98.165", - "172.31.98.44" + "172.31.98.44", + "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1295 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11829", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1295, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1295 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575533562Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11827", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8299, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1295, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ "localhost" ], "ip": [ - "172.31.98.44", - "192.168.98.44" + "192.168.98.165", + "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575533902Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { "destination_interface": "outside", "source_interface": "inside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "destination": { - "port": 1295, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "6", - "transport": "tcp", - "direction": "outbound" - }, - "observer": { - "ingress": { - "interface": { - "name": "outside" - } - }, - "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8300 }, - "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "localhost" - ], - "ip": [ - "192.168.98.165", - "172.31.98.44" - ] - }, - "host": { - "hostname": "localhost" - }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575534242Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11829", - "source_interface": "outside", - "mapped_destination_port": 1295 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8300, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1296, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14220,75 +14059,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1296 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11830", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1296, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1296 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575534588Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1296, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14299,80 +14142,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11828", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1294 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575534915Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11830", - "source_interface": "outside", - "mapped_destination_port": 1296 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1294, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 6694, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14383,81 +14226,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11829", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1295 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575535255Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11828", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1295, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 1493, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14468,81 +14310,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11830", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1296 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575535584Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11829", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1296, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 893, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14553,80 +14394,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8301 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575535918Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11830", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8301, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1297, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14637,75 +14471,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1297 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11831", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1297, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1297 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575536253Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1297, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14716,79 +14554,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8302 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575536591Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11831", - "source_interface": "outside", - "mapped_destination_port": 1297 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8302, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1298, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14799,75 +14631,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1298 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11832", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1298, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1298 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575536925Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1298, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -14878,164 +14714,162 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11833", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.179.9", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575537258Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11832", - "source_interface": "outside", - "mapped_destination_port": 1298 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.179.9", - "ip": "192.168.179.9" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "192.168.179.9", + "172.31.98.44" + ] + }, + "source": { + "address": "192.168.179.9", + "ip": "192.168.179.9", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11833", + "destination_interface": "inside", + "source_interface": "outside" } }, - "@timestamp": "2018-10-10T12:34:56.000Z", + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "localhost" - ], - "ip": [ - "192.168.179.9", - "172.31.98.44" - ] - }, - "host": { - "hostname": "localhost" - }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575537582Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.179.9", - "connection_id": "11833", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.179.9", - "ip": "192.168.179.9" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 150, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15046,80 +14880,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.179.9", + "ip": "192.168.179.9", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11831", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1297 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575537914Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11833", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1297, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 2750, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15130,80 +14964,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8303 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575538244Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11831", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8303, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1299, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15214,75 +15041,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1299 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11834", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1299, + "mapped_source_ip": "192.168.247.99", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1299 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575538597Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1299, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.247.99", - "ip": "192.168.247.99" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15293,79 +15124,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.247.99", + "ip": "192.168.247.99", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8304 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575538929Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.247.99", - "connection_id": "11834", - "source_interface": "outside", - "mapped_destination_port": 1299 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8304, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1300, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15376,75 +15201,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1300 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11835", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1300, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1300 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575539258Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1300, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15455,80 +15284,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11832", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1298 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575539584Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11835", - "source_interface": "outside", - "mapped_destination_port": 1300 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1298, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 881, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15539,81 +15368,80 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11835", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1300 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575539920Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302014", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11832", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1300, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 2202, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15624,80 +15452,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8305 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:05.575540263Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11835", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8305, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1301, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15708,75 +15529,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1301 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11836", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1301, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1301 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575540616Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1301, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15787,79 +15612,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8306 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575540949Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11836", - "source_interface": "outside", - "mapped_destination_port": 1301 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8306, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1302, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15870,75 +15689,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1302 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11837", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1302, + "mapped_source_ip": "192.168.98.165", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1302 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575541284Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1302, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.98.165", - "ip": "192.168.98.165" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -15949,36 +15772,42 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.98.165", + "ip": "192.168.98.165", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575541629Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.98.165", - "connection_id": "11837", - "source_interface": "outside", - "mapped_destination_port": 1302 - } - } - }, - { + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, "observer": { "hostname": "localhost", "product": "asa", @@ -15989,43 +15818,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575541959Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16036,43 +15864,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575542292Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16083,43 +15910,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575542622Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16130,43 +15956,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575542962Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16177,43 +16002,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575543295Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16224,43 +16048,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575543626Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16271,43 +16094,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575543953Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16318,43 +16140,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575544283Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16365,43 +16186,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" - }, - "host": { - "hostname": "localhost" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575544615Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16412,43 +16232,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575544949Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16459,43 +16278,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575545283Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16506,43 +16324,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575545632Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16553,43 +16370,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575545961Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16600,43 +16416,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575546292Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16647,86 +16462,73 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } }, - "host": { - "hostname": "localhost" + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8308 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575546627Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8308, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1304, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -16737,75 +16539,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1304 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11840", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1304, + "mapped_source_ip": "192.168.205.99", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1304 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575546957Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1304, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.205.99", - "ip": "192.168.205.99" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -16816,36 +16622,42 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.205.99", + "ip": "192.168.205.99", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575547287Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.205.99", - "connection_id": "11840", - "source_interface": "outside", - "mapped_destination_port": 1304 - } - } - }, - { + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, "observer": { "hostname": "localhost", "product": "asa", @@ -16856,43 +16668,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575547618Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -16903,87 +16714,79 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11841", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.0.124", + "mapped_source_port": 53, + "source_interface": "outside" + } }, - "host": { - "hostname": "localhost" + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575547950Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.0.124", - "ip": "192.168.0.124" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -16994,80 +16797,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.0.124", + "ip": "192.168.0.124", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11842", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 56132, + "mapped_source_ip": "192.168.160.2", + "mapped_source_port": 53, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575548294Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.0.124", - "connection_id": "11841", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.160.2", - "ip": "192.168.160.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -17078,80 +16880,79 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.160.2", + "ip": "192.168.160.2", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11841", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575548618Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", - "code": "302015", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 53, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.160.2", - "connection_id": "11842", - "source_interface": "outside", - "mapped_destination_port": 56132 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.0.124", - "ip": "192.168.0.124" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 318, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -17162,163 +16963,156 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.0.124", + "ip": "192.168.0.124", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11842", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 56132 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575548956Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], + "code": "302016", + "duration": 0, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "severity": 6, + "start": "2018-10-10T12:34:56.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11841", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 56132, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 53, - "address": "192.168.160.2", - "ip": "192.168.160.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 104, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "192.168.160.2", + "172.31.98.44" + ] + }, + "source": { + "address": "192.168.160.2", + "ip": "192.168.160.2", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" } }, - "@timestamp": "2018-10-10T12:34:56.000Z", + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8309 + }, "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "localhost" - ], - "ip": [ - "192.168.160.2", - "172.31.98.44" - ] - }, - "host": { - "hostname": "localhost" - }, "event": { - "severity": 6, - "duration": 0, - "ingested": "2021-12-14T14:37:05.575549287Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", - "code": "302016", - "kind": "event", - "start": "2018-10-10T12:34:56.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11842", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8309, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1305, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -17329,75 +17123,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1305 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11843", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1305, + "mapped_source_ip": "192.168.124.24", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1305 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575549622Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1305, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -17408,36 +17206,42 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575550019Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.124.24", - "connection_id": "11843", - "source_interface": "outside", - "mapped_destination_port": 1305 - } - } - }, - { + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" + }, "observer": { "hostname": "localhost", "product": "asa", @@ -17448,43 +17252,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575550395Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -17495,43 +17298,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575550726Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -17542,43 +17344,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575551063Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -17589,43 +17390,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575551408Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -17636,43 +17436,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575551739Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -17683,43 +17482,42 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "localhost" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575552079Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30", - "code": "305012", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305012", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "localhost", "product": "asa", @@ -17730,87 +17528,80 @@ "name": "CiscoASA", "pid": 999 }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" ] }, - "log": { - "level": "informational" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11843", + "destination_interface": "inside", + "source_interface": "outside" + } }, - "host": { - "hostname": "localhost" + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1305 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575552485Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30", - "code": "305012", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 4000000000, + "end": "2018-10-10T12:34:56.000Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", + "reason": "TCP Reset-I", + "severity": 6, + "start": "2018-10-10T12:34:52.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": {} - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1305, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 410333, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -17821,80 +17612,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 4000000000, - "reason": "TCP Reset-I", - "ingested": "2021-12-14T14:37:05.575552824Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", - "code": "302014", - "kind": "event", - "start": "2018-10-10T12:34:52.000Z", - "action": "flow-expiration", - "end": "2018-10-10T12:34:56.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ - "connection", - "end" + "info", + "denied" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "11843", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -17905,77 +17692,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575553158Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -17986,77 +17772,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575553498Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18067,77 +17852,73 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575554102Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", "cisco": { "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" + "destination_interface": "outside", + "source_interface": "inside" } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8310 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305011", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 8310, - "address": "192.168.98.44", - "ip": "192.168.98.44" - }, - "source": { - "port": 1306, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "inside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18148,75 +17929,79 @@ "192.168.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1306 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "connection_id": "11844", + "destination_interface": "inside", + "mapped_destination_ip": "172.31.98.44", + "mapped_destination_port": 1306, + "mapped_source_ip": "192.168.124.24", + "mapped_source_port": 80, + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1306 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575554525Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310", - "code": "305011", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "source_interface": "inside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "informational" }, - "destination": { - "port": 1306, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18227,79 +18012,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:05.575554860Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "192.168.124.24", - "connection_id": "11844", - "source_interface": "outside", - "mapped_destination_port": 1306 - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18310,77 +18092,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575555194Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "outside" + "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { - "name": "inside" + "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18391,77 +18172,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575555542Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18472,77 +18252,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575555868Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18553,77 +18332,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575556196Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18634,77 +18412,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575556591Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18715,77 +18492,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575556917Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18796,77 +18572,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575557249Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18877,77 +18652,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575557592Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -18958,77 +18732,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575557928Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19039,77 +18812,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575558262Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19120,77 +18892,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575558736Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19201,77 +18972,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575559063Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19282,77 +19052,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575559393Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19363,77 +19132,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575559735Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19444,77 +19212,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575560062Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "outside" + "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { - "name": "inside" + "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19525,77 +19292,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575560400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19606,77 +19372,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575560724Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19687,77 +19452,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575561056Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19768,77 +19532,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575561387Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19849,77 +19612,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575561727Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -19930,77 +19692,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575562052Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20011,77 +19772,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575562382Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "outside" + "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { - "name": "inside" + "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20092,77 +19852,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575562718Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20173,77 +19932,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575563063Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20254,77 +20012,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575563395Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20335,77 +20092,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575563717Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20416,77 +20172,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575564045Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20497,77 +20252,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575564367Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20578,77 +20332,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575564692Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { - "name": "outside" + "name": "inside" } }, "hostname": "localhost", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { - "name": "inside" + "name": "outside" } - } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20659,77 +20412,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575565035Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20740,77 +20492,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575565371Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20821,77 +20572,76 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 8309 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575565704Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "port": 8309, - "address": "172.31.98.44", - "ip": "172.31.98.44" - }, - "source": { - "port": 80, - "address": "192.168.124.24", - "ip": "192.168.124.24" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "outside" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } + "vendor": "Cisco" }, - "@timestamp": "2018-10-10T12:34:56.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "CiscoASA", + "pid": 999 }, "related": { "hosts": [ @@ -20902,32 +20652,14 @@ "172.31.98.44" ] }, - "host": { - "hostname": "localhost" - }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:05.575566036Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "code": "106023", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "192.168.124.24", + "ip": "192.168.124.24", + "port": 80 }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "inbound", - "source_interface": "outside" - } - } + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json index 1aca74a162a..c2e783357a8 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json @@ -1,27 +1,62 @@ { "expected": [ { - "log": { - "level": "alert" + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], + "security": { + "ac_policy": "default", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", + "application_protocol": "DNS", + "client": "DNS client", + "connection_duration": "0", + "dns_query": "elastic.co", + "dns_record_type": "a host address", + "dns_ttl": "70", + "dst_ip": "81.2.69.144", + "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", + "ingress_interface": "inside", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "145", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "57379", + "user": "No Authentication Required" + }, + "source_interface": "inside" + } }, "destination": { + "address": "81.2.69.144", + "bytes": 145, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 145, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -30,141 +65,142 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 57379, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593549919Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 57379 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "a host address", - "responder_packets": "1", - "dns_query": "elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", + "access_control_rule_reason": "Intrusion Monitor", "application_protocol": "DNS", - "initiator_bytes": "93", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "57379", - "dns_ttl": "70", + "connection_duration": "0", + "dns_query": "elastic.co", + "dns_record_type": "IP6 Address", + "dns_ttl": "299", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "responder_bytes": "145", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "ips_count": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "193", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "51389", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 193, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 193, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -173,143 +209,140 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 51389, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" - ] - }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593551882Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" ], - "outcome": "success" + "user": [ + "No Authentication Required" + ] }, - "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 51389 }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "access_control_rule_reason": "Intrusion Monitor", - "egress_zone": "output-zone", - "dns_record_type": "IP6 Address", - "responder_packets": "1", - "dns_query": "elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", "application_protocol": "DNS", - "initiator_bytes": "93", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "51389", - "dns_ttl": "299", + "connection_duration": "0", + "dns_query": "elastic.co", + "dns_record_type": "the canonical name for an alias", + "dns_ttl": "899", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "ips_count": "1", - "responder_bytes": "193", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "166", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "53033", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 166, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 166, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -318,141 +351,142 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 53033, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593552298Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 53033 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "the canonical name for an alias", - "responder_packets": "1", - "dns_query": "elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", + "access_control_rule_reason": "Intrusion Monitor", "application_protocol": "DNS", - "initiator_bytes": "93", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "53033", - "dns_ttl": "899", + "connection_duration": "0", + "dns_query": "www.elastic.co", + "dns_record_type": "a host address", + "dns_ttl": "12", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "responder_bytes": "166", + "ingress_zone": "input-zone", + "initiator_bytes": "97", + "initiator_packets": "1", + "ips_count": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "200", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "55371", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 200, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 200, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -461,143 +495,141 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 55371, - "bytes": 97, - "packets": 1, - "ip": "10.0.1.20" - }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" + }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593552639Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 97, + "ip": "10.0.1.20", + "packets": 1, + "port": 55371 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "access_control_rule_reason": "Intrusion Monitor", - "egress_zone": "output-zone", - "dns_record_type": "a host address", - "responder_packets": "1", - "dns_query": "www.elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", "application_protocol": "DNS", - "initiator_bytes": "97", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "55371", - "dns_ttl": "12", + "connection_duration": "0", + "dns_query": "elastic.co", + "dns_record_type": "IP6 Address", + "dns_response_type": "No error", + "dns_ttl": "299", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "ips_count": "1", - "responder_bytes": "200", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "193", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "60441", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 193, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 193, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -606,142 +638,140 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 60441, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593552990Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 60441 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "IP6 Address", - "responder_packets": "1", - "dns_query": "elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", "application_protocol": "DNS", - "initiator_bytes": "93", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "60441", - "dns_ttl": "299", + "connection_duration": "0", + "dns_query": "elastic.co", + "dns_record_type": "the canonical name for an alias", + "dns_ttl": "658", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "responder_bytes": "193", - "dns_response_type": "No error", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "166", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "59714", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 166, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 166, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -750,141 +780,143 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 59714, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593553336Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 59714 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "the canonical name for an alias", - "responder_packets": "1", - "dns_query": "elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", + "access_control_rule_reason": "Intrusion Monitor", "application_protocol": "DNS", - "initiator_bytes": "93", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "59714", - "dns_ttl": "658", + "connection_duration": "0", + "dns_query": "elastic.co", + "dns_record_type": "mail exchange", + "dns_response_type": "Non-Existent Domain", + "dns_ttl": "299", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "responder_bytes": "166", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "ips_count": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "199", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "55105", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 199, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 199, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -893,144 +925,140 @@ }, "response_code": "NXDOMAIN" }, - "source": { - "address": "10.0.1.20", - "port": 55105, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593553740Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 55105 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "access_control_rule_reason": "Intrusion Monitor", - "egress_zone": "output-zone", - "dns_record_type": "mail exchange", - "responder_packets": "1", - "dns_query": "elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", "application_protocol": "DNS", - "initiator_bytes": "93", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "55105", - "dns_ttl": "299", + "connection_duration": "0", + "dns_query": "elastic.co", + "dns_record_type": "an authoritative name server", + "dns_ttl": "21599", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "ips_count": "1", - "responder_bytes": "199", - "dns_response_type": "Non-Existent Domain", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "221", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "57141", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 221, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 221, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -1039,141 +1067,141 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 57141, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593554068Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 57141 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "an authoritative name server", - "responder_packets": "1", - "dns_query": "elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", "application_protocol": "DNS", - "initiator_bytes": "93", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "57141", - "dns_ttl": "21599", + "connection_duration": "0", + "dns_query": "elastic.co", + "dns_record_type": "marks the start of a zone of authority", + "dns_response_type": "Server Failure", + "dns_ttl": "899", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "responder_bytes": "221", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "166", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "47260", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 166, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 166, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -1182,142 +1210,142 @@ }, "response_code": "SERVFAIL" }, - "source": { - "address": "10.0.1.20", - "port": 47260, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" - }, - "network": { - "protocol": "dns", - "transport": "udp", - "application": "dns client", - "iana_number": "17" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" + }, + "network": { + "application": "dns client", + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593554416Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 47260 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "marks the start of a zone of authority", - "responder_packets": "1", - "dns_query": "elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", + "access_control_rule_reason": "Intrusion Monitor", "application_protocol": "DNS", - "initiator_bytes": "93", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "47260", - "dns_ttl": "899", + "connection_duration": "0", + "dns_query": "elastic.co", + "dns_record_type": "text strings", + "dns_ttl": "299", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "responder_bytes": "166", - "dns_response_type": "Server Failure", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "ips_count": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "722", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "58082", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 722, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 722, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -1326,143 +1354,140 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 58082, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593554749Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 58082 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "access_control_rule_reason": "Intrusion Monitor", - "egress_zone": "output-zone", - "dns_record_type": "text strings", - "responder_packets": "1", - "dns_query": "elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", "application_protocol": "DNS", - "initiator_bytes": "93", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "58082", - "dns_ttl": "299", + "connection_duration": "0", + "dns_query": "refusedthis.com", + "dns_record_type": "a host address", + "dns_response_type": "Query Refused", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "ips_count": "1", - "responder_bytes": "722", + "ingress_zone": "input-zone", + "initiator_bytes": "98", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "75", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "33973", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 75, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 75, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -1471,278 +1496,277 @@ }, "response_code": "REFUSED" }, - "source": { - "address": "10.0.1.20", - "port": 33973, - "bytes": 98, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593578654Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 98, + "ip": "10.0.1.20", + "packets": 1, + "port": 33973 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "a host address", - "responder_packets": "1", - "dns_query": "refusedthis.com", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", "application_protocol": "DNS", - "initiator_bytes": "98", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "33973", + "connection_duration": "0", + "dns_response_type": "Server Failure", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "responder_bytes": "75", - "dns_response_type": "Query Refused", + "ingress_zone": "input-zone", + "initiator_bytes": "457", + "initiator_packets": "6", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "tcp", + "responder_bytes": "313", + "responder_packets": "4", + "src_ip": "10.0.1.20", + "src_port": "39541", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" - }, - "dns": { - "response_code": "SERVFAIL" }, "destination": { + "address": "81.2.69.144", + "bytes": 313, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 313, + "ip": "81.2.69.144", "packets": 4, - "ip": "81.2.69.144" + "port": 53 }, - "source": { - "address": "10.0.1.20", - "port": 39541, - "bytes": 457, - "packets": 6, - "ip": "10.0.1.20" + "dns": { + "response_code": "SERVFAIL" + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "tcp", "application": "dns client", - "iana_number": "6" + "iana_number": "6", + "protocol": "dns", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593580185Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 457, + "ip": "10.0.1.20", + "packets": 6, + "port": 39541 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "responder_packets": "4", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "access_control_rule_action": "Allow", - "prefilter_policy": "Default Prefilter Policy", - "nap_policy": "Balanced Security and Connectivity", - "ingress_zone": "input-zone", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_port": "39541", - "src_ip": "10.0.1.20", - "protocol": "tcp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", "application_protocol": "DNS", - "initiator_bytes": "457", - "initiator_packets": "6", + "client": "DNS client", "connection_duration": "0", + "dns_query": "laskdfjlaksdf.elastic.co", + "dns_record_type": "a host address", + "dns_response_type": "Non-Existent Domain", + "dns_ttl": "900", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "client": "DNS client", - "responder_bytes": "313", - "dns_response_type": "Server Failure", + "ingress_zone": "input-zone", + "initiator_bytes": "107", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "180", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "41672", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 180, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 180, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -1751,142 +1775,140 @@ }, "response_code": "NXDOMAIN" }, - "source": { - "address": "10.0.1.20", - "port": 41672, - "bytes": 107, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593580575Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 107, + "ip": "10.0.1.20", + "packets": 1, + "port": 41672 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "a host address", - "responder_packets": "1", - "dns_query": "laskdfjlaksdf.elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", "application_protocol": "DNS", - "initiator_bytes": "107", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "41672", - "dns_ttl": "900", + "connection_duration": "0", + "dns_query": "ns-1168.awsdns-18.org", + "dns_record_type": "a host address", + "dns_ttl": "31694", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "responder_bytes": "180", - "dns_response_type": "Non-Existent Domain", + "ingress_zone": "input-zone", + "initiator_bytes": "104", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "108", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "59577", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 108, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 108, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -1895,141 +1917,141 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 59577, - "bytes": 104, - "packets": 1, - "ip": "10.0.1.20" - }, - "network": { - "protocol": "dns", - "transport": "udp", - "application": "dns client", - "iana_number": "17" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" + }, + "network": { + "application": "dns client", + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593580919Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 104, + "ip": "10.0.1.20", + "packets": 1, + "port": 59577 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "a host address", - "responder_packets": "1", - "dns_query": "ns-1168.awsdns-18.org", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", "application_protocol": "DNS", - "initiator_bytes": "104", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "59577", - "dns_ttl": "31694", + "connection_duration": "0", + "dns_query": "_http._tcp.security.ubuntu.com", + "dns_record_type": "Server Selection", + "dns_response_type": "Non-Existent Domain", + "dns_ttl": "946", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "responder_bytes": "108", + "ingress_zone": "input-zone", + "initiator_bytes": "101", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "162", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "35998", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 162, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 162, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -2038,142 +2060,142 @@ }, "response_code": "NXDOMAIN" }, - "source": { - "address": "10.0.1.20", - "port": 35998, - "bytes": 101, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593581252Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 101, + "ip": "10.0.1.20", + "packets": 1, + "port": 35998 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "Server Selection", - "responder_packets": "1", - "dns_query": "_http._tcp.security.ubuntu.com", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", + "access_control_rule_reason": "Intrusion Monitor", "application_protocol": "DNS", - "initiator_bytes": "101", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "35998", - "dns_ttl": "946", + "connection_duration": "0", + "dns_query": "elastic.co", + "dns_record_type": "mail exchange", + "dns_ttl": "299", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "responder_bytes": "162", - "dns_response_type": "Non-Existent Domain", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "ips_count": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "199", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "55105", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 199, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 199, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -2182,143 +2204,140 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 55105, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593581586Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 55105 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "access_control_rule_reason": "Intrusion Monitor", - "egress_zone": "output-zone", - "dns_record_type": "mail exchange", - "responder_packets": "1", - "dns_query": "elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", "application_protocol": "DNS", - "initiator_bytes": "93", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "55105", - "dns_ttl": "299", + "connection_duration": "0", + "dns_query": "elastic.co", + "dns_record_type": "marks the start of a zone of authority", + "dns_ttl": "899", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "ips_count": "1", - "responder_bytes": "199", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "166", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "47260", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 166, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 166, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -2327,141 +2346,140 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 47260, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593582019Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 47260 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "marks the start of a zone of authority", - "responder_packets": "1", - "dns_query": "elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", "application_protocol": "DNS", - "initiator_bytes": "93", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "47260", + "connection_duration": "0", + "dns_query": "elastic.co", + "dns_record_type": "the canonical name for an alias", "dns_ttl": "899", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", "responder_bytes": "166", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "53033", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 166, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 166, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -2470,141 +2488,140 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 53033, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593582355Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 53033 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "the canonical name for an alias", - "responder_packets": "1", - "dns_query": "elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", "application_protocol": "DNS", - "initiator_bytes": "93", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "53033", - "dns_ttl": "899", + "connection_duration": "0", + "dns_query": "elastic.co", + "dns_record_type": "an authoritative name server", + "dns_ttl": "21599", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "responder_bytes": "166", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "221", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "57141", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 221, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 221, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -2613,141 +2630,139 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 57141, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" - }, - "network": { - "protocol": "dns", - "transport": "udp", - "application": "dns client", - "iana_number": "17" + "ecs": { + "version": "1.12.0" }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "ingress": { - "interface": { - "name": "inside" - } - }, - "hostname": "siem-ftd", - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" + }, + "network": { + "application": "dns client", + "iana_number": "17", + "protocol": "dns", + "transport": "udp" + }, + "observer": { + "egress": { "interface": { "name": "outside" } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + }, + "hostname": "siem-ftd", + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593582687Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 57141 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "an authoritative name server", - "responder_packets": "1", - "dns_query": "elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", "application_protocol": "DNS", - "initiator_bytes": "93", - "initiator_packets": "1", - "connection_duration": "0", "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "57141", - "dns_ttl": "21599", + "connection_duration": "0", + "dns_record_type": "a domain name pointer", + "dns_ttl": "59", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "responder_bytes": "221", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "131", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "46093", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 131, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 131, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -2755,140 +2770,142 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 46093, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593583018Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 46093 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "a domain name pointer", - "responder_packets": "1", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "access_control_rule_action": "Allow", - "prefilter_policy": "Default Prefilter Policy", - "nap_policy": "Balanced Security and Connectivity", - "ingress_zone": "input-zone", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_port": "46093", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Intrusion-Rule", + "access_control_rule_reason": "Intrusion Monitor", "application_protocol": "DNS", - "dns_ttl": "59", - "initiator_bytes": "93", - "initiator_packets": "1", + "client": "DNS client", "connection_duration": "0", + "dns_query": "elastic.co", + "dns_record_type": "text strings", + "dns_ttl": "299", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "client": "DNS client", - "responder_bytes": "131", + "ingress_zone": "input-zone", + "initiator_bytes": "93", + "initiator_packets": "1", + "ips_count": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "722", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "58082", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 722, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 722, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -2897,119 +2914,81 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 58082, - "bytes": 93, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-26T23:11:03.000Z", + "kind": "event", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", + "outcome": "success", + "severity": 1, + "start": "2019-08-26T23:11:03.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "inside" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-26T23:11:03.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:39.593583358Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", - "code": "430003", - "kind": "event", - "start": "2019-08-26T23:11:03.000Z", - "action": "connection-finished", - "end": "2019-08-26T23:11:03.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 93, + "ip": "10.0.1.20", + "packets": 1, + "port": 58082 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "security": { - "access_control_rule_reason": "Intrusion Monitor", - "egress_zone": "output-zone", - "dns_record_type": "text strings", - "responder_packets": "1", - "dns_query": "elastic.co", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", - "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", - "application_protocol": "DNS", - "initiator_bytes": "93", - "initiator_packets": "1", - "connection_duration": "0", - "client": "DNS client", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "58082", - "dns_ttl": "299", - "dst_port": "53", - "ingress_interface": "inside", - "ips_count": "1", - "responder_bytes": "722", - "user": "No Authentication Required" - }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], - "source_interface": "inside" - } + "id": "No Authentication Required", + "name": "No Authentication Required" } } ] diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json index c08cccdbdfa..663f056dcca 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json @@ -1,6 +1,32 @@ { "expected": [ { + "@timestamp": "2019-01-01T01:00:27.000Z", + "cisco": { + "ftd": {} + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "999999", + "kind": "event", + "original": "Jan 1 2019 01:00:27 beats asa[1234]: %FTD-7-999999: This message is not filtered.", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "hostname": "beats" + }, + "log": { + "level": "debug" + }, "observer": { "hostname": "beats", "product": "asa", @@ -11,43 +37,39 @@ "name": "asa", "pid": 1234 }, - "@timestamp": "2019-01-01T01:00:27.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "beats" ] }, - "log": { - "level": "debug" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2019-01-01T01:00:30.000Z", + "cisco": { + "ftd": {} }, - "host": { - "hostname": "beats" + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.824205506Z", - "original": "Jan 1 2019 01:00:27 beats asa[1234]: %FTD-7-999999: This message is not filtered.", - "code": "999999", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "999999", + "kind": "event", + "original": "Jan 1 2019 01:00:30 beats asa[1234]: %FTD-8-999999: This phony message is dropped due to log level.", + "severity": 8, "type": [ "info" ] }, - "cisco": { - "ftd": {} + "host": { + "hostname": "beats" }, - "tags": [ - "preserve_original_event" - ] - }, - { "observer": { "hostname": "beats", "product": "asa", @@ -58,35 +80,11 @@ "name": "asa", "pid": 1234 }, - "@timestamp": "2019-01-01T01:00:30.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "beats" ] }, - "host": { - "hostname": "beats" - }, - "event": { - "severity": 8, - "ingested": "2021-12-14T14:37:43.824208214Z", - "original": "Jan 1 2019 01:00:30 beats asa[1234]: %FTD-8-999999: This phony message is dropped due to log level.", - "code": "999999", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json index c483bae03e3..d90ba7264a1 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json @@ -1,1261 +1,1227 @@ { "expected": [ { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "platformSettingEdit.cgi" - }, "@timestamp": "2019-08-14T13:56:30.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 13:56:30 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "platformSettingEdit.cgi" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991231592Z", - "original": "\u003c14\u003eAug 14 2019 13:56:30 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "platformSettingEdit.cgi" - }, "@timestamp": "2019-08-14T13:57:19.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 13:57:19 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=Banner, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "platformSettingEdit.cgi" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991234161Z", - "original": "\u003c14\u003eAug 14 2019 13:57:19 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=Banner, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "ChangeReconciliation.cgi" - }, "@timestamp": "2019-08-14T13:57:26.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 13:57:26 ChangeReconciliation.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/ChangeReconciliation.cgi, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "ChangeReconciliation.cgi" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991234631Z", - "original": "\u003c14\u003eAug 14 2019 13:57:26 ChangeReconciliation.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/ChangeReconciliation.cgi, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "platformSettingEdit.cgi" - }, "@timestamp": "2019-08-14T13:57:34.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 13:57:34 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=IntrusionPolicyPrefs, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "platformSettingEdit.cgi" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991235049Z", - "original": "\u003c14\u003eAug 14 2019 13:57:34 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=IntrusionPolicyPrefs, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "lights_out_mgmt.cgi" - }, "@timestamp": "2019-08-14T13:57:43.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 13:57:43 lights_out_mgmt.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /admin/lights_out_mgmt.cgi, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "lights_out_mgmt.cgi" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991235436Z", - "original": "\u003c14\u003eAug 14 2019 13:57:43 lights_out_mgmt.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /admin/lights_out_mgmt.cgi, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T13:58:02.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View url filtering settings\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "mojo_server.pl" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991235827Z", - "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View url filtering settings\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T13:58:02.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View amp settings\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "mojo_server.pl" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991236232Z", - "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View amp settings\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T13:58:20.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 13:58:20 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "mojo_server.pl" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991236633Z", - "original": "\u003c14\u003eAug 14 2019 13:58:20 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T13:58:41.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 13:58:41 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "mojo_server.pl" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991237020Z", - "original": "\u003c14\u003eAug 14 2019 13:58:41 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T13:58:47.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 13:58:47 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Interfaces, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "sfdccsm" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991237399Z", - "original": "\u003c14\u003eAug 14 2019 13:58:47 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Interfaces, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T13:58:52.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 13:58:52 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "mojo_server.pl" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991237786Z", - "original": "\u003c14\u003eAug 14 2019 13:58:52 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T13:58:54.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 13:58:54 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "mojo_server.pl" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991238396Z", - "original": "\u003c14\u003eAug 14 2019 13:58:54 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T13:59:10.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 13:59:10 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "sfdccsm" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991238793Z", - "original": "\u003c14\u003eAug 14 2019 13:59:10 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T13:59:15.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 13:59:15 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "sfdccsm" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991239186Z", - "original": "\u003c14\u003eAug 14 2019 13:59:15 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:00:37.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "sfdccsm" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991239578Z", - "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:00:37.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "sfdccsm" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991239980Z", - "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:00:37.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "sfdccsm" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991240510Z", - "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:01:12.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "sfdccsm" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991240894Z", - "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:01:12.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "sfdccsm" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991241275Z", - "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:01:13.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:01:13 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "sfdccsm" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991241656Z", - "original": "\u003c14\u003eAug 14 2019 14:01:13 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:01:20.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:01:20 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "sfdccsm" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991242046Z", - "original": "\u003c14\u003eAug 14 2019 14:01:20 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "ActionQueueScrape.pl" - }, "@timestamp": "2019-08-14T14:01:31.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "ActionQueueScrape.pl" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991242433Z", - "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "ActionQueueScrape.pl" - }, "@timestamp": "2019-08-14T14:01:31.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Global Configuration Generation\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "ActionQueueScrape.pl" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991242814Z", - "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Global Configuration Generation\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "ActionQueueScrape.pl" - }, "@timestamp": "2019-08-14T14:01:35.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:01:35 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "ActionQueueScrape.pl" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991243314Z", - "original": "\u003c14\u003eAug 14 2019 14:01:35 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "ActionQueueScrape.pl" - }, "@timestamp": "2019-08-14T14:01:36.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:01:36 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Device Configuration for siem-ftd\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "ActionQueueScrape.pl" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991243696Z", - "original": "\u003c14\u003eAug 14 2019 14:01:36 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Device Configuration for siem-ftd\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T14:01:55.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:01:55 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "mojo_server.pl" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991244091Z", - "original": "\u003c14\u003eAug 14 2019 14:01:55 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:01:56.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:01:56 sfdccsm: siem-management: admin@localhost, Task Queue, Policy Deployment to siem-ftd - SUCCESS\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "sfdccsm" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991244481Z", - "original": "\u003c14\u003eAug 14 2019 14:01:56 sfdccsm: siem-management: admin@localhost, Task Queue, Policy Deployment to siem-ftd - SUCCESS\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:01:57.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:01:57 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "sfdccsm" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991244860Z", - "original": "\u003c14\u003eAug 14 2019 14:01:57 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T14:02:03.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:02:03 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "mojo_server.pl" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991245243Z", - "original": "\u003c14\u003eAug 14 2019 14:02:03 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "index.cgi" - }, "@timestamp": "2019-08-14T14:02:11.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:02:11 index.cgi: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Audit, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "index.cgi" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991245652Z", - "original": "\u003c14\u003eAug 14 2019 14:02:11 index.cgi: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Audit, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T14:02:19.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "mojo_server.pl" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991246040Z", - "original": "\u003c14\u003eAug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "platformSettingEdit.cgi" - }, "@timestamp": "2019-08-14T14:02:31.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "platformSettingEdit.cgi" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991246428Z", - "original": "\u003c14\u003eAug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "platformSettingEdit.cgi" - }, "@timestamp": "2019-08-14T14:02:38.000Z", + "cisco": { + "ftd": {} + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Local System Configuration, Save Local System Configuration\u0000x0a\u0000x00", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "platformSettingEdit.cgi" + }, "syslog": { "facility": { "code": 14 } }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991246824Z", - "original": "\u003c14\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Local System Configuration, Save Local System Configuration\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - }, "tags": [ "preserve_original_event" ] }, { - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" - }, - "process": { - "name": "platformSettingEdit.cgi" - }, "@timestamp": "2019-08-14T14:02:38.000Z", + "cisco": { + "ftd": { + "security": {} + } + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "debug" + "event": { + "code": "", + "original": "\u003c14.2\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Audit Log Settings \u003e Modified: Send Audit Log to Syslog enabled \u003e Disabled", + "severity": 7 }, "host": { "name": "siem-management" }, + "log": { + "level": "debug" + }, + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "platformSettingEdit.cgi" + }, "syslog": { - "priority": 2, "facility": { "code": 14 - } - }, - "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:43.991247204Z", - "original": "\u003c14.2\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Audit Log Settings \u003e Modified: Send Audit Log to Syslog enabled \u003e Disabled", - "code": "" - }, - "cisco": { - "ftd": { - "security": {} - } + }, + "priority": 2 }, "tags": [ "preserve_original_event" diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json index 585ffd43c2b..11cc21e1694 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json @@ -1,451 +1,447 @@ { "expected": [ { - "log": { - "level": "unknown" + "@timestamp": "2019-08-16T09:54:00.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": [ + "intrusion-policy", + "default" + ], + "security": { + "ac_policy": "default", + "application_protocol": "HTTP", + "classification": "Attempted User Privilege Gain", + "client": "Firefox", + "dst_ip": "10.0.100.30", + "dst_port": "80", + "egress_interface": "outside", + "egress_zone": "output-zone", + "gid": "1", + "ingress_interface": "inside", + "ingress_zone": "input-zone", + "intrusion_policy": "intrusion-policy", + "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", + "nap_policy": "Balanced Security and Connectivity", + "priority": "1", + "protocol": "tcp", + "revision": "12", + "sid": "17279", + "src_ip": "10.0.1.20", + "src_port": "55644", + "user": "No Authentication Required" + }, + "source_interface": "inside" + } }, "destination": { - "port": 80, "address": "10.0.100.30", - "ip": "10.0.100.30" + "ip": "10.0.100.30", + "port": 80 }, - "source": { - "port": 55644, - "address": "10.0.1.20", - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "intrusion-detected", + "category": [ + "intrusion_detection" + ], + "code": "430001", + "kind": "alert", + "original": "2019-08-16T09:54:00Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "severity": 0, + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "unknown" }, "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", "network": { - "protocol": "http", - "transport": "tcp", "application": "firefox", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "firepower", "ingress": { "interface": { "name": "inside" } }, - "hostname": "firepower", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-16T09:54:00.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "firepower" ], "ip": [ "10.0.1.20", "10.0.100.30" + ], + "user": [ + "No Authentication Required" ] }, "service": { "id": "1" }, - "host": { - "hostname": "firepower" - }, - "event": { - "severity": 0, - "ingested": "2021-12-14T14:37:45.778530267Z", - "original": "2019-08-16T09:54:00Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", - "code": "430001", - "kind": "alert", - "action": "intrusion-detected", - "category": [ - "intrusion_detection" - ], - "type": [ - "info" - ] + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 55644 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-16T09:57:02.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "intrusion-policy", + "default" + ], "security": { - "intrusion_policy": "intrusion-policy", + "ac_policy": "default", + "application_protocol": "HTTP", + "classification": "Attempted User Privilege Gain", + "client": "Firefox", + "dst_ip": "10.0.100.30", + "dst_port": "80", + "egress_interface": "outside", "egress_zone": "output-zone", "gid": "1", - "egress_interface": "outside", - "nap_policy": "Balanced Security and Connectivity", + "ingress_interface": "inside", "ingress_zone": "input-zone", + "intrusion_policy": "intrusion-policy", "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", + "nap_policy": "Balanced Security and Connectivity", "priority": "1", - "classification": "Attempted User Privilege Gain", - "dst_ip": "10.0.100.30", - "sid": "17279", + "protocol": "tcp", "revision": "12", - "ac_policy": "default", - "src_port": "55644", + "sid": "17279", "src_ip": "10.0.1.20", - "protocol": "tcp", - "application_protocol": "HTTP", - "dst_port": "80", - "ingress_interface": "inside", - "client": "Firefox", + "src_port": "55868", "user": "No Authentication Required" }, - "rule_name": [ - "intrusion-policy", - "default" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "unknown" }, "destination": { - "port": 80, "address": "10.0.100.30", - "ip": "10.0.100.30" + "ip": "10.0.100.30", + "port": 80 }, - "source": { - "port": 55868, - "address": "10.0.1.20", - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "intrusion-detected", + "category": [ + "intrusion_detection" + ], + "code": "430001", + "kind": "alert", + "original": "2019-08-16T09:57:02Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "severity": 0, + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "unknown" }, "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", "network": { - "protocol": "http", - "transport": "tcp", "application": "firefox", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "firepower", "ingress": { "interface": { "name": "inside" } }, - "hostname": "firepower", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-16T09:57:02.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "firepower" ], "ip": [ "10.0.1.20", "10.0.100.30" + ], + "user": [ + "No Authentication Required" ] }, "service": { "id": "1" }, - "host": { - "hostname": "firepower" - }, - "event": { - "severity": 0, - "ingested": "2021-12-14T14:37:45.778533414Z", - "original": "2019-08-16T09:57:02Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", - "code": "430001", - "kind": "alert", - "action": "intrusion-detected", - "category": [ - "intrusion_detection" - ], - "type": [ - "info" - ] + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 55868 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-16T10:04:44.000Z", "cisco": { "ftd": { - "destination_interface": "outside", + "destination_interface": "inside", + "rule_name": [ + "intrusion-policy", + "default" + ], "security": { - "intrusion_policy": "intrusion-policy", - "egress_zone": "output-zone", + "ac_policy": "default", + "classification": "Misc Activity", + "dst_ip": "10.0.1.20", + "dst_port": "39114", + "egress_interface": "inside", + "egress_zone": "input-zone", "gid": "1", - "egress_interface": "outside", + "ingress_interface": "outside", + "ingress_zone": "output-zone", + "intrusion_policy": "intrusion-policy", + "message": "APP-DETECT failed FTP login attempt", "nap_policy": "Balanced Security and Connectivity", - "ingress_zone": "input-zone", - "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", - "priority": "1", - "classification": "Attempted User Privilege Gain", - "dst_ip": "10.0.100.30", - "sid": "17279", - "revision": "12", - "ac_policy": "default", - "src_port": "55868", - "src_ip": "10.0.1.20", + "priority": "3", "protocol": "tcp", - "application_protocol": "HTTP", - "dst_port": "80", - "ingress_interface": "inside", - "client": "Firefox", + "revision": "6", + "sid": "13360", + "src_ip": "10.0.100.30", + "src_port": "21", "user": "No Authentication Required" }, - "rule_name": [ - "intrusion-policy", - "default" - ], - "source_interface": "inside" + "source_interface": "outside" } - } - }, - { - "log": { - "level": "unknown" }, "destination": { - "port": 39114, "address": "10.0.1.20", - "ip": "10.0.1.20" + "ip": "10.0.1.20", + "port": 39114 }, - "source": { - "port": 21, - "address": "10.0.100.30", - "ip": "10.0.100.30" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "intrusion-detected", + "category": [ + "intrusion_detection" + ], + "code": "430001", + "kind": "alert", + "original": "2019-08-16T10:04:44Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "severity": 0, + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "unknown" }, "message": "APP-DETECT failed FTP login attempt", "network": { "iana_number": "6", "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "firepower", "ingress": { "interface": { "name": "outside" } }, - "hostname": "firepower", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2019-08-16T10:04:44.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "firepower" ], "ip": [ "10.0.100.30", "10.0.1.20" + ], + "user": [ + "No Authentication Required" ] }, "service": { "id": "1" }, - "host": { - "hostname": "firepower" - }, - "event": { - "severity": 0, - "ingested": "2021-12-14T14:37:45.778533878Z", - "original": "2019-08-16T10:04:44Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", - "code": "430001", - "kind": "alert", - "action": "intrusion-detected", - "category": [ - "intrusion_detection" - ], - "type": [ - "info" - ] + "source": { + "address": "10.0.100.30", + "ip": "10.0.100.30", + "port": 21 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-16T10:09:47.000Z", "cisco": { "ftd": { "destination_interface": "inside", + "rule_name": [ + "intrusion-policy", + "default" + ], "security": { - "intrusion_policy": "intrusion-policy", + "ac_policy": "default", + "classification": "Misc Activity", + "dst_ip": "10.0.1.20", + "dst_port": "40740", + "egress_interface": "inside", "egress_zone": "input-zone", "gid": "1", - "egress_interface": "inside", - "nap_policy": "Balanced Security and Connectivity", + "ingress_interface": "outside", "ingress_zone": "output-zone", + "intrusion_policy": "intrusion-policy", "message": "APP-DETECT failed FTP login attempt", + "nap_policy": "Balanced Security and Connectivity", "priority": "3", - "classification": "Misc Activity", - "dst_ip": "10.0.1.20", - "sid": "13360", + "protocol": "6", "revision": "6", - "ac_policy": "default", - "src_port": "21", + "sid": "13360", "src_ip": "10.0.100.30", - "protocol": "tcp", - "dst_port": "39114", - "ingress_interface": "outside", + "src_port": "21", "user": "No Authentication Required" }, - "rule_name": [ - "intrusion-policy", - "default" - ], "source_interface": "outside" } - } - }, - { - "log": { - "level": "unknown" }, "destination": { - "port": 40740, "address": "10.0.1.20", - "ip": "10.0.1.20" + "ip": "10.0.1.20", + "port": 40740 }, - "source": { - "port": 21, - "address": "10.0.100.30", - "ip": "10.0.100.30" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "intrusion-detected", + "category": [ + "intrusion_detection" + ], + "code": "430001", + "kind": "alert", + "original": "2019-08-16T10:09:47Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "severity": 0, + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "unknown" }, "message": "APP-DETECT failed FTP login attempt", "network": { "iana_number": "6", "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "firepower", "ingress": { "interface": { "name": "outside" } }, - "hostname": "firepower", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2019-08-16T10:09:47.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "firepower" ], "ip": [ "10.0.100.30", "10.0.1.20" + ], + "user": [ + "No Authentication Required" ] }, "service": { "id": "1" }, - "host": { - "hostname": "firepower" - }, - "event": { - "severity": 0, - "ingested": "2021-12-14T14:37:45.778534262Z", - "original": "2019-08-16T10:09:47Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", - "code": "430001", - "kind": "alert", - "action": "intrusion-detected", - "category": [ - "intrusion_detection" - ], - "type": [ - "info" - ] + "source": { + "address": "10.0.100.30", + "ip": "10.0.100.30", + "port": 21 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "security": { - "intrusion_policy": "intrusion-policy", - "egress_zone": "input-zone", - "gid": "1", - "egress_interface": "inside", - "nap_policy": "Balanced Security and Connectivity", - "ingress_zone": "output-zone", - "message": "APP-DETECT failed FTP login attempt", - "priority": "3", - "classification": "Misc Activity", - "dst_ip": "10.0.1.20", - "sid": "13360", - "revision": "6", - "ac_policy": "default", - "src_port": "21", - "src_ip": "10.0.100.30", - "protocol": "6", - "dst_port": "40740", - "ingress_interface": "outside", - "user": "No Authentication Required" - }, - "rule_name": [ - "intrusion-policy", - "default" - ], - "source_interface": "outside" - } + "id": "No Authentication Required", + "name": "No Authentication Required" } } ] diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json index d11000438f6..8546221cf41 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json @@ -1,38 +1,58 @@ { "expected": [ { - "process": { - "name": "ftd", - "pid": 1234 - }, - "log": { - "level": "debug" + "@timestamp": "2018-01-11T01:00:27.000Z", + "cisco": { + "ftd": { + "security": { + "application_protocol": "http", + "client": "webserver", + "dst_ip": "10.8.12.47", + "message": "Intrusion attempt", + "src_ip": "10.1.123.45" + } + } }, "destination": { "address": "10.8.12.47", "ip": "10.8.12.47" }, - "source": { - "address": "10.1.123.45", - "ip": "10.1.123.45" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "intrusion-detected", + "category": [ + "intrusion_detection" + ], + "code": "430001", + "kind": "alert", + "original": "Jan 11 2018 01:00:27 beats ftd[1234]: ApplicationProtocol: http, Client: webserver, DstIP: 10.8.12.47, SrcIP: 10.1.123.45, Message: Intrusion attempt", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "hostname": "beats" + }, + "log": { + "level": "debug" }, "message": "Intrusion attempt", "network": { "application": "webserver", "protocol": "http" }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "beats", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2018-01-11T01:00:27.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "ftd", + "pid": 1234 }, "related": { "hosts": [ @@ -43,186 +63,191 @@ "10.8.12.47" ] }, - "host": { - "hostname": "beats" + "source": { + "address": "10.1.123.45", + "ip": "10.1.123.45" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-01-11T01:00:27.000Z", + "cisco": { + "ftd": { + "security": { + "http_response": "404", + "message": "Some message here (1:36330:2)." + } + } + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:46.471794455Z", - "original": "Jan 11 2018 01:00:27 beats ftd[1234]: ApplicationProtocol: http, Client: webserver, DstIP: 10.8.12.47, SrcIP: 10.1.123.45, Message: Intrusion attempt", - "code": "430001", - "kind": "alert", "action": "intrusion-detected", "category": [ "intrusion_detection" ], + "code": "430001", + "kind": "alert", + "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2).", + "severity": 7, "type": [ "info" ] }, - "cisco": { - "ftd": { - "security": { - "src_ip": "10.1.123.45", - "client": "webserver", - "application_protocol": "http", - "message": "Intrusion attempt", - "dst_ip": "10.8.12.47" - } + "host": { + "hostname": "beats" + }, + "http": { + "response": { + "status_code": 404 } - } - }, - { - "process": { - "name": "ftd", - "pid": 1234 }, "log": { "level": "debug" }, "message": "Some message here (1:36330:2).", - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "beats", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2018-01-11T01:00:27.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "ftd", + "pid": 1234 }, "related": { "hosts": [ "beats" ] }, - "host": { - "hostname": "beats" - }, - "http": { - "response": { - "status_code": 404 + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-01-11T01:00:27.000Z", + "cisco": { + "ftd": { + "security": { + "http_response": "404", + "message": "Some message here (1:36330:2)" + } } }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:46.471797245Z", - "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2).", - "code": "430001", - "kind": "alert", - "action": "intrusion-detected", + "action": "connection-started", "category": [ - "intrusion_detection" + "network" ], + "code": "430002", + "kind": "event", + "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2), Empty: ,FileCount:, IngressZone:", + "severity": 7, "type": [ - "info" + "connection", + "start" ] }, - "cisco": { - "ftd": { - "security": { - "http_response": "404", - "message": "Some message here (1:36330:2)." - } + "host": { + "hostname": "beats" + }, + "http": { + "response": { + "status_code": 404 } - } - }, - { - "process": { - "name": "ftd", - "pid": 1234 }, "log": { "level": "debug" }, "message": "Some message here (1:36330:2)", - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "beats", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2018-01-11T01:00:27.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "ftd", + "pid": 1234 }, "related": { "hosts": [ "beats" ] }, - "host": { - "hostname": "beats" - }, - "http": { - "response": { - "status_code": 404 + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-01-11T01:00:27.000Z", + "cisco": { + "ftd": { + "security": { + "dst_ip": "192.168.3.33", + "dst_port": "64311", + "http_response": "404", + "message": [ + "This one has a type id", + "And two messages" + ], + "src_ip": "127.0.0.1", + "src_port": "512" + } } }, + "destination": { + "address": "192.168.3.33", + "ip": "192.168.3.33", + "port": 64311 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 7, - "ingested": "2021-12-14T14:37:46.471797755Z", - "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2), Empty: ,FileCount:, IngressZone:", - "code": "430002", - "kind": "event", - "action": "connection-started", + "action": "malware-detected", "category": [ - "network" + "malware" ], + "code": "430005", + "kind": "alert", + "original": "Jan 11 2018 01:00:27 beats ftd[1234]: %ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311", + "severity": 3, "type": [ - "connection", - "start" + "info" ] }, - "cisco": { - "ftd": { - "security": { - "http_response": "404", - "message": "Some message here (1:36330:2)" - } + "host": { + "hostname": "beats" + }, + "http": { + "response": { + "status_code": 404 } - } - }, - { - "process": { - "name": "ftd", - "pid": 1234 }, "log": { "level": "error" }, - "destination": { - "port": 64311, - "address": "192.168.3.33", - "ip": "192.168.3.33" - }, - "source": { - "port": 512, - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, "message": [ "This one has a type id", "And two messages" ], - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "beats", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2018-01-11T01:00:27.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "ftd", + "pid": 1234 }, "related": { "hosts": [ @@ -233,43 +258,14 @@ "192.168.3.33" ] }, - "host": { - "hostname": "beats" - }, - "http": { - "response": { - "status_code": 404 - } - }, - "event": { - "severity": 3, - "ingested": "2021-12-14T14:37:46.471798145Z", - "original": "Jan 11 2018 01:00:27 beats ftd[1234]: %ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311", - "code": "430005", - "kind": "alert", - "action": "malware-detected", - "category": [ - "malware" - ], - "type": [ - "info" - ] + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 512 }, - "cisco": { - "ftd": { - "security": { - "src_port": "512", - "http_response": "404", - "src_ip": "127.0.0.1", - "dst_port": "64311", - "message": [ - "This one has a type id", - "And two messages" - ], - "dst_ip": "192.168.3.33" - } - } - } + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json index 5de3d206fb9..67715bd665a 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json @@ -1,44 +1,62 @@ { "expected": [ { - "log": { - "level": "notification" + "@timestamp": "2019-10-04T15:27:55.000Z", + "cisco": { + "ftd": { + "destination_interface": "OUTSIDE", + "rule_name": "AL-DMZ-LB-IN", + "source_interface": "LB-DMZ" + } }, "destination": { + "address": "81.2.69.144", "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "ip": "81.2.69.144" + "ip": "81.2.69.144", + "port": 53 }, - "syslog": { - "facility": { - "code": 165 - } + "ecs": { + "version": "1.12.0" }, - "source": { - "port": 27218, - "address": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244", - "domain": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244" + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -\u003e OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "outcome": "failure", + "severity": 5, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "OUTSIDE" + } + }, "ingress": { "interface": { "name": "LB-DMZ" @@ -46,16 +64,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "OUTSIDE" - } - } - }, - "@timestamp": "2019-10-04T15:27:55.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -65,45 +74,54 @@ "81.2.69.144" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:46.872025477Z", - "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -\u003e OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244", + "domain": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244", + "port": 27218 }, - "cisco": { - "ftd": { - "destination_interface": "OUTSIDE", - "rule_name": "AL-DMZ-LB-IN", - "source_interface": "LB-DMZ" + "syslog": { + "facility": { + "code": 165 } - } + }, + "tags": [ + "preserve_original_event" + ] }, { - "log": { - "level": "informational" + "@timestamp": "2020-01-01T10:42:53.000Z", + "cisco": { + "ftd": { + "mapped_source_host": "mydomain.example.net" + } }, "destination": { "address": "172.24.177.29", "ip": "172.24.177.29" }, - "source": { - "address": "192.168.132.46", - "ip": "192.168.132.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302021", + "kind": "event", + "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", + "severity": 6, + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "localhost" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" @@ -114,10 +132,6 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2020-01-01T10:42:53.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "localhost" @@ -127,77 +141,78 @@ "172.24.177.29" ] }, - "host": { - "hostname": "localhost" + "source": { + "address": "192.168.132.46", + "ip": "192.168.132.46" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-01-02T11:33:20.000Z", + "cisco": { + "ftd": { + "destination_interface": "wan", + "mapped_destination_host": "www.example.org", + "mapped_destination_port": 80, + "mapped_source_host": "source.example.net", + "mapped_source_port": 11234, + "rule_name": "dynamic", + "source_interface": "eth0", + "threat_category": "malware", + "threat_level": "high" + } + }, + "destination": { + "address": "172.24.177.3", + "domain": "example.org", + "ip": "172.24.177.3", + "port": 80 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:46.872028339Z", - "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", - "code": "302021", - "kind": "event", - "action": "flow-expiration", + "action": "firewall-rule", "category": [ "network" ], + "code": "338204", + "kind": "event", + "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", + "outcome": "failure", + "severity": 4, "type": [ - "connection", - "end" + "info", + "denied" ] }, - "cisco": { - "ftd": { - "mapped_source_host": "mydomain.example.net" - } - } - }, - { - "server": { - "domain": "example.org" + "host": { + "hostname": "localhost" }, "log": { "level": "warning" }, - "destination": { - "address": "172.24.177.3", - "port": 80, - "domain": "example.org", - "ip": "172.24.177.3" - }, - "source": { - "nat": { - "port": 11234 - }, - "address": "10.10.10.1", - "port": 1234, - "ip": "10.10.10.1" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "wan" + } + }, + "hostname": "localhost", "ingress": { "interface": { "name": "eth0" } }, - "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "wan" - } - } - }, - "@timestamp": "2020-01-02T11:33:20.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -209,38 +224,20 @@ "172.24.177.3" ] }, - "host": { - "hostname": "localhost" + "server": { + "domain": "example.org" }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:46.872028753Z", - "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", - "code": "338204", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "10.10.10.1", + "ip": "10.10.10.1", + "nat": { + "port": 11234 + }, + "port": 1234 }, - "cisco": { - "ftd": { - "mapped_destination_host": "www.example.org", - "destination_interface": "wan", - "mapped_source_port": 11234, - "threat_level": "high", - "mapped_source_host": "source.example.net", - "rule_name": "dynamic", - "source_interface": "eth0", - "mapped_destination_port": 80, - "threat_category": "malware" - } - } + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json index 6ee48db1219..ad7d2e845ec 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json @@ -1,27 +1,50 @@ { "expected": [ { - "log": { - "level": "warning" + "@timestamp": "2013-04-15T09:36:50.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": "acl_dmz", + "source_interface": "dmz" + } }, "destination": { - "port": 53, "address": "192.168.0.8", - "ip": "192.168.0.8" + "ip": "192.168.0.8", + "port": 53 }, - "source": { - "port": 63016, - "address": "10.1.2.30", - "ip": "10.1.2.30" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106023", + "kind": "event", + "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "outcome": "failure", + "severity": 4, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "dmz" @@ -29,16 +52,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-15T09:36:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -46,52 +60,60 @@ "192.168.0.8" ] }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:47.267657061Z", - "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "code": "106023", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "10.1.2.30", + "ip": "10.1.2.30", + "port": 63016 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-15T09:36:50.000Z", "cisco": { "ftd": { "destination_interface": "outside", "rule_name": "acl_dmz", "source_interface": "dmz" } - } - }, - { - "log": { - "level": "warning" }, "destination": { - "port": 53, "address": "192.168.0.8", - "ip": "192.168.0.8" + "ip": "192.168.0.8", + "port": 53 }, - "source": { - "port": 63016, - "address": "10.1.2.30", - "ip": "10.1.2.30" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106023", + "kind": "event", + "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "outcome": "failure", + "severity": 4, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "dmz" @@ -99,16 +121,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-15T09:36:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -116,52 +129,61 @@ "192.168.0.8" ] }, + "source": { + "address": "10.1.2.30", + "ip": "10.1.2.30", + "port": 63016 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-04-15T13:34:34.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": "acl_in", + "source_interface": "inside", + "suffix": "session" + } + }, + "destination": { + "address": "192.168.0.89", + "ip": "192.168.0.89", + "port": 2000 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:47.267659298Z", - "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, "type": [ "info", - "denied" - ], - "outcome": "failure" + "allowed" + ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "rule_name": "acl_dmz", - "source_interface": "dmz" - } - } - }, - { "log": { "level": "notification" }, - "destination": { - "port": 2000, - "address": "192.168.0.89", - "ip": "192.168.0.89" - }, - "source": { - "port": 2241, - "address": "10.1.2.16", - "ip": "10.1.2.16" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -169,16 +191,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2014-04-15T13:34:34.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -186,71 +199,72 @@ "192.168.0.89" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267659684Z", - "original": "Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.1.2.16", + "ip": "10.1.2.16", + "port": 2241 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-24T16:00:28.000Z", "cisco": { "ftd": { "destination_interface": "outside", - "suffix": "session", - "rule_name": "acl_in", + "rule_name": "inside", "source_interface": "inside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { - "port": 53, "address": "192.168.2.10", - "ip": "192.168.2.10" + "ip": "192.168.2.10", + "port": 53 }, - "source": { - "port": 1039, - "address": "172.29.2.101", - "ip": "172.29.2.101" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "outcome": "failure", + "severity": 6, + "type": [ + "info", + "denied" + ] + }, + "host": { + "hostname": "INT-FW01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "INT-FW01", "ingress": { "interface": { "name": "inside" } }, - "hostname": "INT-FW01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-24T16:00:28.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -261,73 +275,72 @@ "192.168.2.10" ] }, - "host": { - "hostname": "INT-FW01" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267660023Z", - "original": "Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "172.29.2.101", + "ip": "172.29.2.101", + "port": 1039 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-24T16:00:27.000Z", "cisco": { "ftd": { "destination_interface": "outside", "rule_name": "inside", "source_interface": "inside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { - "port": 53, "address": "192.168.2.57", - "ip": "192.168.2.57" + "ip": "192.168.2.57", + "port": 53 }, - "source": { - "port": 1065, - "address": "172.29.2.3", - "ip": "172.29.2.3" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "outcome": "success", + "severity": 6, + "type": [ + "info", + "allowed" + ] + }, + "host": { + "hostname": "INT-FW01" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "INT-FW01", "ingress": { "interface": { "name": "inside" } }, - "hostname": "INT-FW01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-24T16:00:27.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -338,72 +351,65 @@ "192.168.2.57" ] }, - "host": { - "hostname": "INT-FW01" + "source": { + "address": "172.29.2.3", + "ip": "172.29.2.3", + "port": 1065 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.2.130", + "ip": "192.168.2.130", + "port": 12834 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267660370Z", - "original": "Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834", + "severity": 6, "type": [ - "info", - "allowed" - ], - "outcome": "success" + "info" + ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "rule_name": "inside", - "source_interface": "inside" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 12834, - "address": "192.168.2.130", - "ip": "192.168.2.130" - }, - "source": { - "port": 4952, - "address": "10.123.3.42", - "ip": "10.123.3.42" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "ip": [ @@ -411,70 +417,74 @@ "192.168.2.130" ] }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267660718Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "10.123.3.42", + "ip": "10.123.3.42", + "port": 4952 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", "cisco": { "ftd": { + "connection_id": "89743274", "destination_interface": "outside", + "mapped_destination_ip": "10.123.3.42", + "mapped_destination_port": 12834, + "mapped_source_ip": "192.168.2.43", + "mapped_source_port": 443, "source_interface": "outside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { + "address": "10.123.3.42", + "ip": "10.123.3.42", "nat": { "port": 12834 }, - "address": "10.123.3.42", - "port": 4952, - "ip": "10.123.3.42" + "port": 4952 }, - "source": { - "port": 443, - "address": "192.168.2.43", - "ip": "192.168.2.43" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "ip": [ @@ -482,71 +492,65 @@ "10.123.3.42" ] }, + "source": { + "address": "192.168.2.43", + "ip": "192.168.2.43", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.2.130", + "ip": "192.168.2.130", + "port": 25882 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267661049Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "mapped_source_port": 443, - "mapped_destination_ip": "10.123.3.42", - "mapped_source_ip": "192.168.2.43", - "connection_id": "89743274", - "source_interface": "outside", - "mapped_destination_port": 12834 - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 25882, - "address": "192.168.2.130", - "ip": "192.168.2.130" - }, - "source": { - "port": 52925, - "address": "10.123.1.35", - "ip": "10.123.1.35" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "ip": [ @@ -554,73 +558,74 @@ "192.168.2.130" ] }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267661388Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "10.123.1.35", + "ip": "10.123.1.35", + "port": 52925 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", "cisco": { "ftd": { + "connection_id": "89743275", "destination_interface": "outside", + "mapped_destination_ip": "10.123.1.35", + "mapped_destination_port": 25882, + "mapped_source_ip": "192.168.2.43", + "mapped_source_port": 53, "source_interface": "outside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { + "address": "10.123.1.35", + "ip": "10.123.1.35", "nat": { "port": 25882 }, - "address": "10.123.1.35", - "port": 52925, - "ip": "10.123.1.35" + "port": 52925 }, - "source": { - "nat": { - "ip": "192.168.2.43" - }, - "address": "192.168.2.222", - "port": 53, - "ip": "192.168.2.222" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302015", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "ip": [ @@ -629,71 +634,68 @@ "10.123.1.35" ] }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "nat": { + "ip": "192.168.2.43" + }, + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.2.130", + "ip": "192.168.2.130", + "port": 45392 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267661716Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "mapped_source_port": 53, - "mapped_destination_ip": "10.123.1.35", - "mapped_source_ip": "192.168.2.43", - "connection_id": "89743275", - "source_interface": "outside", - "mapped_destination_port": 25882 - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 45392, - "address": "192.168.2.130", - "ip": "192.168.2.130" - }, - "source": { - "port": 4953, - "address": "10.123.3.42", - "ip": "10.123.3.42" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "ip": [ @@ -701,71 +703,75 @@ "192.168.2.130" ] }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267662058Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "10.123.3.42", + "ip": "10.123.3.42", + "port": 4953 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", "cisco": { "ftd": { + "connection_id": "89743276", "destination_interface": "outside", + "mapped_destination_ip": "10.123.3.130", + "mapped_destination_port": 45392, + "mapped_source_ip": "192.168.2.1", + "mapped_source_port": 80, "source_interface": "outside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { + "address": "10.123.3.42", + "ip": "10.123.3.42", "nat": { - "port": 45392, - "ip": "10.123.3.130" + "ip": "10.123.3.130", + "port": 45392 }, - "address": "10.123.3.42", - "port": 4953, - "ip": "10.123.3.42" + "port": 4953 }, - "source": { - "port": 80, - "address": "192.168.2.1", - "ip": "192.168.2.1" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "outside" } }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco", - "egress": { + "ingress": { "interface": { "name": "outside" } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "ip": [ @@ -774,55 +780,63 @@ "10.123.3.130" ] }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267662390Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.2.1", + "ip": "192.168.2.1", + "port": 80 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", "cisco": { "ftd": { - "destination_interface": "outside", - "mapped_source_port": 80, - "mapped_destination_ip": "10.123.3.130", - "mapped_source_ip": "192.168.2.1", - "connection_id": "89743276", - "source_interface": "outside", - "mapped_destination_port": 45392 + "connection_id": "89743275", + "destination_interface": "inside", + "source_interface": "outside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { - "port": 52925, "address": "10.123.1.35", - "ip": "10.123.1.35" + "ip": "10.123.1.35", + "port": 52925 }, - "source": { - "port": 53, - "address": "192.168.2.222", - "ip": "192.168.2.222" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302016", + "duration": 5025000000000, + "end": "2013-04-29T12:59:50.000Z", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", + "severity": 6, + "start": "2013-04-29T11:36:05.000Z", + "type": [ + "connection", + "end" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 140, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, "ingress": { "interface": { "name": "outside" @@ -830,16 +844,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -847,55 +852,65 @@ "10.123.1.35" ] }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco": { + "ftd": { + "connection_id": "666", + "destination_interface": "inside", + "destination_username": "user2", + "source_interface": "outside", + "source_username": "user1" + } + }, + "destination": { + "address": "10.123.1.35", + "ip": "10.123.1.35", + "port": 52925 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "duration": 5025000000000, - "ingested": "2021-12-14T14:37:47.267662916Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", - "code": "302016", - "kind": "event", - "start": "2013-04-29T11:36:05.000Z", "action": "flow-expiration", - "end": "2013-04-29T12:59:50.000Z", "category": [ "network" ], + "code": "302016", + "duration": 36000000000000, + "end": "2013-04-29T12:59:50.000Z", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", + "severity": 6, + "start": "2013-04-29T02:59:50.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "connection_id": "89743275", - "source_interface": "outside" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 52925, - "address": "10.123.1.35", - "ip": "10.123.1.35" - }, - "source": { - "port": 53, - "address": "192.168.2.222", - "ip": "192.168.2.222" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 9999999, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, "ingress": { "interface": { "name": "outside" @@ -903,16 +918,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -920,49 +926,49 @@ "10.123.1.35" ] }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 53 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2011-06-04T21:59:52.000Z", + "cisco": { + "ftd": { + "mapped_source_ip": "192.168.132.46" + } + }, + "destination": { + "address": "172.24.177.29", + "ip": "172.24.177.29" + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "duration": 36000000000000, - "ingested": "2021-12-14T14:37:47.267663259Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", - "code": "302016", - "kind": "event", - "start": "2013-04-29T02:59:50.000Z", "action": "flow-expiration", - "end": "2013-04-29T12:59:50.000Z", "category": [ "network" ], + "code": "302021", + "kind": "event", + "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", + "severity": 6, "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "source_username": "user1", - "destination_interface": "inside", - "connection_id": "666", - "source_interface": "outside", - "destination_username": "user2" - } - } - }, - { + "host": { + "hostname": "FJSG2NRFW01" + }, "log": { "level": "informational" }, - "destination": { - "address": "172.24.177.29", - "ip": "172.24.177.29" - }, - "source": { - "address": "192.168.132.46", - "ip": "192.168.132.46" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" @@ -973,10 +979,6 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2011-06-04T21:59:52.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "FJSG2NRFW01" @@ -986,52 +988,56 @@ "172.24.177.29" ] }, - "host": { - "hostname": "FJSG2NRFW01" + "source": { + "address": "192.168.132.46", + "ip": "192.168.132.46" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.0.130", + "ip": "192.168.0.130", + "port": 10879 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267663623Z", - "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", - "code": "302021", - "kind": "event", - "action": "flow-expiration", + "action": "firewall-rule", "category": [ "network" ], + "code": "305011", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879", + "severity": 6, "type": [ - "connection", - "end" + "info" ] }, - "cisco": { - "ftd": { - "mapped_source_ip": "192.168.132.46" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 10879, - "address": "192.168.0.130", - "ip": "192.168.0.130" - }, - "source": { - "port": 4954, - "address": "192.168.3.42", - "ip": "192.168.3.42" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1039,16 +1045,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1056,54 +1053,67 @@ "192.168.0.130" ] }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267663952Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879", - "code": "305011", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.3.42", + "ip": "192.168.3.42", + "port": 4954 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", "cisco": { "ftd": { - "destination_interface": "outside", - "source_interface": "inside" + "connection_id": "89743277", + "destination_interface": "inside", + "mapped_destination_ip": "10.0.0.130", + "mapped_destination_port": 10879, + "mapped_source_ip": "192.168.0.17", + "mapped_source_port": 80, + "source_interface": "outside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { + "address": "192.168.3.42", + "ip": "192.168.3.42", "nat": { - "port": 10879, - "ip": "10.0.0.130" + "ip": "10.0.0.130", + "port": 10879 }, - "address": "192.168.3.42", - "port": 4954, - "ip": "192.168.3.42" + "port": 4954 }, - "source": { - "port": 80, - "address": "192.168.0.17", - "ip": "192.168.0.17" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, "ingress": { "interface": { "name": "outside" @@ -1111,16 +1121,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2013-04-29T12:59:50.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1129,112 +1130,117 @@ "10.0.0.130" ] }, + "source": { + "address": "192.168.0.17", + "ip": "192.168.0.17", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:33.000Z", + "cisco": { + "ftd": {} + }, + "destination": { + "address": "10.1.2.60", + "ip": "10.1.2.60", + "port": 53 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267664284Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106007", + "kind": "event", + "original": "Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query", + "outcome": "failure", + "severity": 2, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "mapped_source_port": 80, - "mapped_destination_ip": "10.0.0.130", - "mapped_source_ip": "192.168.0.17", - "connection_id": "89743277", - "source_interface": "outside", - "mapped_destination_port": 10879 - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "port": 53, - "address": "10.1.2.60", - "ip": "10.1.2.60" - }, - "source": { - "port": 12981, - "address": "192.168.0.66", - "ip": "192.168.0.66" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "protocol": "dns", - "transport": "udp", + "direction": "inbound", "iana_number": "17", - "direction": "inbound" + "protocol": "dns", + "transport": "udp" }, "observer": { - "type": "firewall", "product": "asa", + "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2013-04-30T09:22:33.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "192.168.0.66", "10.1.2.60" ] }, + "source": { + "address": "192.168.0.66", + "ip": "192.168.0.66", + "port": 12981 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:38.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.0.89", + "ip": "192.168.0.89", + "port": 2000 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:37:47.267664735Z", - "original": "Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query", - "code": "106007", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, "type": [ "info", - "denied" - ], - "outcome": "failure" + "allowed" + ] }, - "cisco": { - "ftd": {} - } - }, - { "log": { "level": "notification" }, - "destination": { - "port": 2000, - "address": "192.168.0.89", - "ip": "192.168.0.89" - }, - "source": { - "port": 2006, - "address": "10.0.0.16", - "ip": "10.0.0.16" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1242,16 +1248,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:38.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1259,52 +1256,60 @@ "192.168.0.89" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267665061Z", - "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2006 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:38.000Z", "cisco": { "ftd": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 40443, "address": "192.168.0.88", - "ip": "192.168.0.88" + "ip": "192.168.0.88", + "port": 40443 }, - "source": { - "port": 49734, - "address": "10.0.0.46", - "ip": "10.0.0.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1312,16 +1317,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:38.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1329,52 +1325,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267665388Z", - "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49734 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", "cisco": { "ftd": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 40443, "address": "192.168.0.88", - "ip": "192.168.0.88" + "ip": "192.168.0.88", + "port": 40443 }, - "source": { - "port": 49735, - "address": "10.0.0.46", - "ip": "10.0.0.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1382,16 +1386,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:39.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1399,52 +1394,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267665714Z", - "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49735 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", "cisco": { "ftd": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 40443, "address": "192.168.0.88", - "ip": "192.168.0.88" + "ip": "192.168.0.88", + "port": 40443 }, - "source": { - "port": 49736, - "address": "10.0.0.46", - "ip": "10.0.0.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1452,16 +1455,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:39.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1469,52 +1463,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267666054Z", - "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49736 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", "cisco": { "ftd": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 40443, "address": "192.168.0.88", - "ip": "192.168.0.88" + "ip": "192.168.0.88", + "port": 40443 }, - "source": { - "port": 49737, - "address": "10.0.0.46", - "ip": "10.0.0.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1522,16 +1524,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:39.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1539,52 +1532,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267666396Z", - "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49737 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:40.000Z", "cisco": { "ftd": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 40443, "address": "192.168.0.88", - "ip": "192.168.0.88" + "ip": "192.168.0.88", + "port": 40443 }, - "source": { - "port": 49738, - "address": "10.0.0.46", - "ip": "10.0.0.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1592,16 +1593,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:40.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1609,52 +1601,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267666738Z", - "original": "Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49738 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:41.000Z", "cisco": { "ftd": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 40443, "address": "192.168.0.88", - "ip": "192.168.0.88" + "ip": "192.168.0.88", + "port": 40443 }, - "source": { - "port": 49746, - "address": "10.0.0.46", - "ip": "10.0.0.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1662,16 +1662,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:41.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1679,52 +1670,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267667171Z", - "original": "Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49746 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:47.000Z", "cisco": { "ftd": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 2000, "address": "192.168.0.89", - "ip": "192.168.0.89" + "ip": "192.168.0.89", + "port": 2000 }, - "source": { - "port": 2007, - "address": "10.0.0.16", - "ip": "10.0.0.16" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1732,16 +1731,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:47.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1749,52 +1739,60 @@ "192.168.0.89" ] }, + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2007 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:48.000Z", + "cisco": { + "ftd": { + "destination_interface": "dmz", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.33.31", + "ip": "192.168.33.31", + "port": 25 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267667512Z", - "original": "Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:48: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, "type": [ "info", "allowed" - ], - "outcome": "success" + ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "rule_name": "acl_in", - "source_interface": "inside" - } - } - }, - { "log": { "level": "notification" }, - "destination": { - "port": 25, - "address": "192.168.33.31", - "ip": "192.168.33.31" - }, - "source": { - "port": 43013, - "address": "10.0.0.13", - "ip": "10.0.0.13" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, "ingress": { "interface": { "name": "inside" @@ -1802,16 +1800,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } - }, - "@timestamp": "2013-04-30T09:22:48.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1819,52 +1808,60 @@ "192.168.33.31" ] }, + "source": { + "address": "10.0.0.13", + "ip": "10.0.0.13", + "port": 43013 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:22:56.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.0.89", + "ip": "192.168.0.89", + "port": 2000 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267667842Z", - "original": "Apr 30 2013 09:22:48: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, "type": [ "info", "allowed" - ], - "outcome": "success" + ] }, - "cisco": { - "ftd": { - "destination_interface": "dmz", - "rule_name": "acl_in", - "source_interface": "inside" - } - } - }, - { "log": { "level": "notification" }, - "destination": { - "port": 2000, - "address": "192.168.0.89", - "ip": "192.168.0.89" - }, - "source": { - "port": 2008, - "address": "10.0.0.16", - "ip": "10.0.0.16" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -1872,16 +1869,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:22:56.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -1889,51 +1877,52 @@ "192.168.0.89" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267668175Z", - "original": "Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2008 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:02.000Z", "cisco": { "ftd": { - "destination_interface": "outside", - "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "critical" }, "destination": { - "port": 137, "address": "10.1.2.42", - "ip": "10.1.2.42" + "ip": "10.1.2.42", + "port": 137 }, - "source": { - "port": 137, - "address": "192.168.2.66", - "ip": "192.168.2.66" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106006", + "kind": "event", + "original": "Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside", + "outcome": "failure", + "severity": 2, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "critical" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "inbound", "iana_number": "17", - "transport": "udp", - "direction": "inbound" + "transport": "udp" }, "observer": { "ingress": { @@ -1945,118 +1934,123 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2013-04-30T09:23:02.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "192.168.2.66", "10.1.2.42" ] }, + "source": { + "address": "192.168.2.66", + "ip": "192.168.2.66", + "port": 137 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:03.000Z", + "cisco": { + "ftd": {} + }, + "destination": { + "address": "10.1.5.60", + "ip": "10.1.5.60", + "port": 53 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:37:47.267668510Z", - "original": "Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside", - "code": "106006", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106007", + "kind": "event", + "original": "Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "source_interface": "inside" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "port": 53, - "address": "10.1.5.60", - "ip": "10.1.5.60" - }, - "source": { - "port": 12981, - "address": "192.168.2.66", - "ip": "192.168.2.66" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "protocol": "dns", - "transport": "udp", + "direction": "inbound", "iana_number": "17", - "direction": "inbound" + "protocol": "dns", + "transport": "udp" }, "observer": { - "type": "firewall", "product": "asa", + "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2013-04-30T09:23:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "192.168.2.66", "10.1.5.60" ] }, + "source": { + "address": "192.168.2.66", + "ip": "192.168.2.66", + "port": 12981 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:06.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.0.89", + "ip": "192.168.0.89", + "port": 2000 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:37:47.267668841Z", - "original": "Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query", - "code": "106007", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, "type": [ "info", - "denied" - ], - "outcome": "failure" + "allowed" + ] }, - "cisco": { - "ftd": {} - } - }, - { "log": { "level": "notification" }, - "destination": { - "port": 2000, - "address": "192.168.0.89", - "ip": "192.168.0.89" - }, - "source": { - "port": 2009, - "address": "10.0.0.16", - "ip": "10.0.0.16" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2064,16 +2058,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:23:06.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2081,52 +2066,60 @@ "192.168.0.89" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267669186Z", - "original": "Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2009 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:08.000Z", "cisco": { "ftd": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 40443, "address": "192.168.0.88", - "ip": "192.168.0.88" + "ip": "192.168.0.88", + "port": 40443 }, - "source": { - "port": 49776, - "address": "10.0.0.46", - "ip": "10.0.0.46" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2134,16 +2127,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:23:08.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2151,52 +2135,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267669578Z", - "original": "Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49776 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:15.000Z", "cisco": { "ftd": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 2000, "address": "192.168.0.89", - "ip": "192.168.0.89" + "ip": "192.168.0.89", + "port": 2000 }, - "source": { - "port": 2010, - "address": "10.0.0.16", - "ip": "10.0.0.16" + "ecs": { + "version": "1.12.0" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "6", - "transport": "tcp" + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" + }, + "network": { + "iana_number": "6", + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2204,16 +2196,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:23:15.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2221,52 +2204,60 @@ "192.168.0.89" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267669908Z", - "original": "Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2010 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:24.000Z", "cisco": { "ftd": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 2000, "address": "192.168.0.89", - "ip": "192.168.0.89" + "ip": "192.168.0.89", + "port": 2000 }, - "source": { - "port": 2011, - "address": "10.0.0.16", - "ip": "10.0.0.16" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "failure", + "severity": 5, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2274,16 +2265,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:23:24.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2291,52 +2273,60 @@ "192.168.0.89" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267670249Z", - "original": "Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2011 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:34.000Z", "cisco": { "ftd": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 2000, "address": "192.168.0.89", - "ip": "192.168.0.89" + "ip": "192.168.0.89", + "port": 2000 }, - "source": { - "port": 2012, - "address": "10.0.0.16", - "ip": "10.0.0.16" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "failure", + "severity": 5, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2344,16 +2334,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:23:34.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2361,52 +2342,60 @@ "192.168.0.89" ] }, + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2012 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:40.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "acl_out", + "source_interface": "outside" + } + }, + "destination": { + "address": "10.0.0.132", + "ip": "10.0.0.132", + "port": 8111 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267670582Z", - "original": "Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "rule_name": "acl_in", - "source_interface": "inside" - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "port": 8111, - "address": "10.0.0.132", - "ip": "10.0.0.132" - }, - "source": { - "port": 53638, - "address": "192.168.2.126", - "ip": "192.168.2.126" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, "ingress": { "interface": { "name": "outside" @@ -2414,16 +2403,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2013-04-30T09:23:40.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2431,69 +2411,68 @@ "10.0.0.132" ] }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:47.267671031Z", - "original": "Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "code": "106023", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "192.168.2.126", + "ip": "192.168.2.126", + "port": 53638 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:41.000Z", "cisco": { "ftd": { "destination_interface": "inside", "rule_name": "acl_out", "source_interface": "outside" } - } - }, - { - "log": { - "level": "warning" }, "destination": { - "port": 8111, "address": "10.0.0.132", - "ip": "10.0.0.132" - }, - "source": { - "port": 53638, - "address": "192.168.2.126", - "ip": "192.168.2.126" + "ip": "10.0.0.132", + "port": 8111 }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "6", - "transport": "tcp" + "ecs": { + "version": "1.12.0" }, - "observer": { - "ingress": { - "interface": { - "name": "outside" - } - }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco", + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106023", + "kind": "event", + "original": "Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "outcome": "failure", + "severity": 4, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "warning" + }, + "network": { + "iana_number": "6", + "transport": "tcp" + }, + "observer": { "egress": { "interface": { "name": "inside" } - } - }, - "@timestamp": "2013-04-30T09:23:41.000Z", - "ecs": { - "version": "1.12.0" + }, + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" }, "related": { "ip": [ @@ -2501,52 +2480,60 @@ "10.0.0.132" ] }, + "source": { + "address": "192.168.2.126", + "ip": "192.168.2.126", + "port": 53638 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:43.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.0.88", + "ip": "192.168.0.88", + "port": 40443 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:47.267674656Z", - "original": "Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, "type": [ "info", - "denied" - ], - "outcome": "failure" + "allowed" + ] }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "acl_out", - "source_interface": "outside" - } - } - }, - { "log": { "level": "notification" }, - "destination": { - "port": 40443, - "address": "192.168.0.88", - "ip": "192.168.0.88" - }, - "source": { - "port": 49840, - "address": "10.0.0.46", - "ip": "10.0.0.46" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2554,16 +2541,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:23:43.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2571,52 +2549,60 @@ "192.168.0.88" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267675270Z", - "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.0.46", + "ip": "10.0.0.46", + "port": 49840 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2013-04-30T09:23:43.000Z", "cisco": { "ftd": { "destination_interface": "outside", "rule_name": "acl_in", "source_interface": "inside" } - } - }, - { - "log": { - "level": "notification" }, "destination": { - "port": 2000, "address": "192.168.0.89", - "ip": "192.168.0.89" + "ip": "192.168.0.89", + "port": 2000 }, - "source": { - "port": 2013, - "address": "10.0.0.16", - "ip": "10.0.0.16" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106100", + "kind": "event", + "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "notification" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2624,16 +2610,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2013-04-30T09:23:43.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2641,52 +2618,61 @@ "192.168.0.89" ] }, + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2013 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-04-15T13:34:34.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": "acl_in", + "source_interface": "inside", + "suffix": "session" + } + }, + "destination": { + "address": "192.168.0.99", + "ip": "192.168.0.99", + "port": 2000 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267675753Z", - "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106100", + "kind": "event", + "original": "Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "outcome": "success", + "severity": 5, "type": [ "info", "allowed" - ], - "outcome": "success" + ] }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "rule_name": "acl_in", - "source_interface": "inside" - } - } - }, - { "log": { "level": "notification" }, - "destination": { - "port": 2000, - "address": "192.168.0.99", - "ip": "192.168.0.99" - }, - "source": { - "port": 2241, - "address": "10.0.0.16", - "ip": "10.0.0.16" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -2694,16 +2680,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2018-04-15T13:34:34.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -2711,72 +2688,75 @@ "192.168.0.99" ] }, + "source": { + "address": "10.0.0.16", + "ip": "10.0.0.16", + "port": 2241 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco": { + "ftd": { + "connection_id": "447235", + "destination_interface": "identity", + "mapped_destination_ip": "10.0.13.13", + "mapped_destination_port": 80, + "mapped_source_ip": "192.168.77.12", + "mapped_source_port": 11180, + "source_interface": "outside" + } + }, + "destination": { + "address": "10.0.13.13", + "ip": "10.0.13.13", + "port": 80 + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267676279Z", - "original": "Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "code": "106100", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302015", + "kind": "event", + "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", + "severity": 6, "type": [ - "info", - "allowed" - ], - "outcome": "success" + "info" + ] + }, + "host": { + "hostname": "127.0.0.1" }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "suffix": "session", - "rule_name": "acl_in", - "source_interface": "inside" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 80, - "address": "10.0.13.13", - "ip": "10.0.13.13" - }, - "source": { - "port": 11180, - "address": "192.168.77.12", - "ip": "192.168.77.12" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "17", - "transport": "udp", - "direction": "outbound" + "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "identity" + } + }, + "hostname": "127.0.0.1", "ingress": { "interface": { "name": "outside" } }, - "hostname": "127.0.0.1", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "identity" - } - } - }, - "@timestamp": "2018-12-11T08:01:24.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -2787,75 +2767,72 @@ "10.0.13.13" ] }, - "host": { - "hostname": "127.0.0.1" + "source": { + "address": "192.168.77.12", + "ip": "192.168.77.12", + "port": 11180 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": "dmz", + "source_interface": "dmz" + } + }, + "destination": { + "address": "192.168.0.12", + "ip": "192.168.0.12", + "port": 53 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267676622Z", - "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", - "code": "302015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "outcome": "failure", + "severity": 4, "type": [ - "info" + "info", + "denied" ] }, - "cisco": { - "ftd": { - "destination_interface": "identity", - "mapped_source_port": 11180, - "mapped_destination_ip": "10.0.13.13", - "mapped_source_ip": "192.168.77.12", - "connection_id": "447235", - "source_interface": "outside", - "mapped_destination_port": 80 - } - } - }, - { + "host": { + "hostname": "127.0.0.1" + }, "log": { "level": "warning" }, - "destination": { - "port": 53, - "address": "192.168.0.12", - "ip": "192.168.0.12" - }, - "source": { - "port": 5555, - "address": "192.168.1.33", - "ip": "192.168.1.33" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "127.0.0.1", "ingress": { "interface": { "name": "dmz" } }, - "hostname": "127.0.0.1", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2018-12-11T08:01:24.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -2866,73 +2843,72 @@ "192.168.0.12" ] }, - "host": { - "hostname": "127.0.0.1" + "source": { + "address": "192.168.1.33", + "ip": "192.168.1.33", + "port": 5555 }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:47.267676967Z", - "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "code": "106023", - "kind": "event", + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": "dmz", + "source_interface": "dmz" + } + }, + "destination": { + "address": "192.168.0.12", + "ip": "192.168.0.12", + "port": 53 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "127.0.0.1" }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "rule_name": "dmz", - "source_interface": "dmz" - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "port": 53, - "address": "192.168.0.12", - "ip": "192.168.0.12" - }, - "source": { - "port": 5555, - "address": "192.168.1.33", - "ip": "192.168.1.33" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "127.0.0.1", "ingress": { "interface": { "name": "dmz" } }, - "hostname": "127.0.0.1", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2018-12-11T08:01:24.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -2943,74 +2919,75 @@ "192.168.0.12" ] }, - "host": { - "hostname": "127.0.0.1" + "source": { + "address": "192.168.1.33", + "ip": "192.168.1.33", + "port": 5555 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", + "cisco": { + "ftd": { + "connection_id": "447236", + "destination_interface": "dmz", + "mapped_destination_host": "OCSP_Server", + "mapped_destination_port": 5678, + "mapped_source_ip": "192.168.2.222", + "mapped_source_port": 1234, + "source_interface": "outside" + } + }, + "destination": { + "address": "OCSP_Server", + "domain": "OCSP_Server", + "port": 5678 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:47.267677314Z", - "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "severity": 6, "type": [ - "info", - "denied" - ], - "outcome": "failure" + "info" + ] + }, + "host": { + "hostname": "127.0.0.1" }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "rule_name": "dmz", - "source_interface": "dmz" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 5678, - "address": "OCSP_Server", - "domain": "OCSP_Server" - }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, + "hostname": "127.0.0.1", "ingress": { "interface": { "name": "outside" } }, - "hostname": "127.0.0.1", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } - }, - "@timestamp": "2018-12-11T08:01:31.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -3021,76 +2998,75 @@ "192.168.2.222" ] }, - "host": { - "hostname": "127.0.0.1" + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", + "cisco": { + "ftd": { + "connection_id": "447236", + "destination_interface": "dmz", + "mapped_destination_host": "OCSP_Server", + "mapped_destination_port": 5678, + "mapped_source_ip": "192.168.2.222", + "mapped_source_port": 1234, + "source_interface": "outside" + } + }, + "destination": { + "address": "OCSP_Server", + "domain": "OCSP_Server", + "port": 5678 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267677640Z", - "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", - "code": "302013", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "severity": 6, "type": [ "info" ] }, - "cisco": { - "ftd": { - "mapped_destination_host": "OCSP_Server", - "destination_interface": "dmz", - "mapped_source_port": 1234, - "mapped_source_ip": "192.168.2.222", - "connection_id": "447236", - "source_interface": "outside", - "mapped_destination_port": 5678 - } - } - }, - { + "host": { + "hostname": "127.0.0.1" + }, "log": { "level": "informational" }, - "destination": { - "port": 5678, - "address": "OCSP_Server", - "domain": "OCSP_Server" - }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, + "hostname": "127.0.0.1", "ingress": { "interface": { "name": "outside" } }, - "hostname": "127.0.0.1", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } - }, - "@timestamp": "2018-12-11T08:01:31.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -3101,76 +3077,76 @@ "192.168.2.222" ] }, - "host": { - "hostname": "127.0.0.1" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267677972Z", - "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", "cisco": { "ftd": { - "mapped_destination_host": "OCSP_Server", - "destination_interface": "dmz", - "mapped_source_port": 1234, - "mapped_source_ip": "192.168.2.222", "connection_id": "447236", - "source_interface": "outside", - "mapped_destination_port": 5678 + "destination_interface": "dmz", + "source_interface": "outside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { - "port": 5678, "address": "192.168.1.34", - "ip": "192.168.1.34" + "ip": "192.168.1.34", + "port": 5678 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302014", + "duration": 0, + "end": "2018-12-11T08:01:31.000Z", + "kind": "event", + "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-12-11T08:01:31.000Z", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "127.0.0.1" }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 14804, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, + "hostname": "127.0.0.1", "ingress": { "interface": { "name": "outside" } }, - "hostname": "127.0.0.1", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } - }, - "@timestamp": "2018-12-11T08:01:31.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -3181,77 +3157,76 @@ "192.168.1.34" ] }, - "host": { - "hostname": "127.0.0.1" + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco": { + "ftd": { + "connection_id": "447234", + "destination_interface": "dmz", + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.1.35", + "ip": "192.168.1.35", + "port": 5678 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 0, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:47.267678304Z", - "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-12-11T08:01:31.000Z", "action": "flow-expiration", - "end": "2018-12-11T08:01:31.000Z", "category": [ "network" ], + "code": "302014", + "duration": 68000000000, + "end": "2018-12-11T08:01:38.000Z", + "kind": "event", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-12-11T08:00:30.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "dmz", - "connection_id": "447236", - "source_interface": "outside" - } - } - }, - { + "host": { + "hostname": "127.0.0.1" + }, "log": { "level": "informational" }, - "destination": { - "port": 5678, - "address": "192.168.1.35", - "ip": "192.168.1.35" - }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 134781, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, + "hostname": "127.0.0.1", "ingress": { "interface": { "name": "outside" } }, - "hostname": "127.0.0.1", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } - }, - "@timestamp": "2018-12-11T08:01:38.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -3262,77 +3237,76 @@ "192.168.1.35" ] }, - "host": { - "hostname": "127.0.0.1" + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco": { + "ftd": { + "connection_id": "447234", + "destination_interface": "dmz", + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.1.35", + "ip": "192.168.1.35", + "port": 5678 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 68000000000, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:47.267678641Z", - "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-12-11T08:00:30.000Z", "action": "flow-expiration", - "end": "2018-12-11T08:01:38.000Z", "category": [ "network" ], + "code": "302014", + "duration": 68000000000, + "end": "2018-12-11T08:01:38.000Z", + "kind": "event", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-12-11T08:00:30.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "dmz", - "connection_id": "447234", - "source_interface": "outside" - } - } - }, - { + "host": { + "hostname": "127.0.0.1" + }, "log": { "level": "informational" }, - "destination": { - "port": 5678, - "address": "192.168.1.35", - "ip": "192.168.1.35" - }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 134781, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, + "hostname": "127.0.0.1", "ingress": { "interface": { "name": "outside" } }, - "hostname": "127.0.0.1", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } - }, - "@timestamp": "2018-12-11T08:01:38.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -3343,142 +3317,135 @@ "192.168.1.35" ] }, - "host": { - "hostname": "127.0.0.1" + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco": { + "ftd": { + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.1.34", + "ip": "192.168.1.34", + "port": 5679 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 68000000000, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:47.267678977Z", - "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-12-11T08:00:30.000Z", - "action": "flow-expiration", - "end": "2018-12-11T08:01:38.000Z", + "action": "firewall-rule", "category": [ "network" ], + "code": "106015", + "kind": "event", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "outcome": "failure", + "severity": 6, "type": [ - "connection", - "end" + "info", + "denied" ] }, - "cisco": { - "ftd": { - "destination_interface": "dmz", - "connection_id": "447234", - "source_interface": "outside" - } - } - }, - { + "host": { + "hostname": "127.0.0.1" + }, "log": { "level": "informational" }, - "destination": { - "port": 5679, - "address": "192.168.1.34", - "ip": "192.168.1.34" - }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "hostname": "127.0.0.1", "ingress": { "interface": { "name": "outside" } }, - "hostname": "127.0.0.1", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:38.000Z", + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "192.168.2.222", + "192.168.1.34" + ] + }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco": { + "ftd": { + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.1.34", + "ip": "192.168.1.34", + "port": 5679 + }, "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "127.0.0.1" - ], - "ip": [ - "192.168.2.222", - "192.168.1.34" - ] - }, - "host": { - "hostname": "127.0.0.1" - }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267679314Z", - "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "code": "106015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106015", + "kind": "event", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "outcome": "failure", + "severity": 6, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "127.0.0.1" }, - "cisco": { - "ftd": { - "source_interface": "outside" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 5679, - "address": "192.168.1.34", - "ip": "192.168.1.34" - }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "hostname": "127.0.0.1", "ingress": { "interface": { "name": "outside" } }, - "hostname": "127.0.0.1", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2018-12-11T08:01:38.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "127.0.0.1" @@ -3488,71 +3455,72 @@ "192.168.1.34" ] }, - "host": { - "hostname": "127.0.0.1" + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:39.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": "dmz", + "source_interface": "dmz" + } + }, + "destination": { + "address": "192.168.0.12", + "ip": "192.168.0.12", + "port": 5000 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267679646Z", - "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "code": "106015", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "127.0.0.1" }, - "cisco": { - "ftd": { - "source_interface": "outside" - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "port": 5000, - "address": "192.168.0.12", - "ip": "192.168.0.12" - }, - "source": { - "port": 5679, - "address": "192.168.1.34", - "ip": "192.168.1.34" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "127.0.0.1", "ingress": { "interface": { "name": "dmz" } }, - "hostname": "127.0.0.1", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2018-12-11T08:01:39.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -3563,74 +3531,75 @@ "192.168.0.12" ] }, - "host": { - "hostname": "127.0.0.1" + "source": { + "address": "192.168.1.34", + "ip": "192.168.1.34", + "port": 5679 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", + "cisco": { + "ftd": { + "connection_id": "447237", + "destination_interface": "dmz", + "mapped_destination_ip": "192.168.1.34", + "mapped_destination_port": 65000, + "mapped_source_ip": "192.168.2.222", + "mapped_source_port": 1234, + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.1.34", + "ip": "192.168.1.34", + "port": 65000 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:47.267679976Z", - "original": "Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "302013", + "kind": "event", + "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "severity": 6, "type": [ - "info", - "denied" - ], - "outcome": "failure" + "info" + ] + }, + "host": { + "hostname": "127.0.0.1" }, - "cisco": { - "ftd": { - "destination_interface": "outside", - "rule_name": "dmz", - "source_interface": "dmz" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 65000, - "address": "192.168.1.34", - "ip": "192.168.1.34" - }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" - }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, + "hostname": "127.0.0.1", "ingress": { "interface": { "name": "outside" } }, - "hostname": "127.0.0.1", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } - }, - "@timestamp": "2018-12-11T08:01:53.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -3641,76 +3610,75 @@ "192.168.1.34" ] }, - "host": { - "hostname": "127.0.0.1" - }, - "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267680428Z", - "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ] + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", "cisco": { "ftd": { + "connection_id": "447237", "destination_interface": "dmz", - "mapped_source_port": 1234, "mapped_destination_ip": "192.168.1.34", + "mapped_destination_port": 65000, "mapped_source_ip": "192.168.2.222", - "connection_id": "447237", - "source_interface": "outside", - "mapped_destination_port": 65000 + "mapped_source_port": 1234, + "source_interface": "outside" } - } - }, - { - "log": { - "level": "informational" }, "destination": { - "port": 65000, "address": "192.168.1.34", - "ip": "192.168.1.34" + "ip": "192.168.1.34", + "port": 65000 }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "hostname": "127.0.0.1" + }, + "log": { + "level": "informational" }, - "tags": [ - "preserve_original_event" - ], "network": { + "direction": "outbound", "iana_number": "6", - "transport": "tcp", - "direction": "outbound" + "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, + "hostname": "127.0.0.1", "ingress": { "interface": { "name": "outside" } }, - "hostname": "127.0.0.1", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } - }, - "@timestamp": "2018-12-11T08:01:53.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -3721,76 +3689,76 @@ "192.168.1.34" ] }, - "host": { - "hostname": "127.0.0.1" + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", + "cisco": { + "ftd": { + "connection_id": "447237", + "destination_interface": "dmz", + "source_interface": "outside" + } + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "port": 1235 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "ingested": "2021-12-14T14:37:47.267680762Z", - "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", - "code": "302013", - "kind": "event", - "action": "firewall-rule", + "action": "flow-expiration", "category": [ "network" ], + "code": "302014", + "duration": 86399000000000, + "end": "2018-12-11T08:01:53.000Z", + "kind": "event", + "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-12-10T08:01:54.000Z", "type": [ - "info" + "connection", + "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "dmz", - "mapped_source_port": 1234, - "mapped_destination_ip": "192.168.1.34", - "mapped_source_ip": "192.168.2.222", - "connection_id": "447237", - "source_interface": "outside", - "mapped_destination_port": 65000 - } - } - }, - { + "host": { + "hostname": "127.0.0.1" + }, "log": { "level": "informational" }, - "destination": { - "port": 1235, - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "source": { - "port": 1234, - "address": "192.168.2.222", - "ip": "192.168.2.222" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 11420, "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, + "hostname": "127.0.0.1", "ingress": { "interface": { "name": "outside" } }, - "hostname": "127.0.0.1", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "dmz" - } - } - }, - "@timestamp": "2018-12-11T08:01:53.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -3801,59 +3769,63 @@ "10.10.10.10" ] }, - "host": { - "hostname": "127.0.0.1" + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2012-08-15T23:30:09.000Z", + "cisco": { + "ftd": { + "connection_id": "40", + "destination_interface": "inside", + "source_interface": "outside" + } + }, + "destination": { + "address": "10.44.2.2", + "ip": "10.44.2.2", + "port": 500 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 6, - "duration": 86399000000000, - "reason": "TCP FINs", - "ingested": "2021-12-14T14:37:47.267681105Z", - "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", - "code": "302014", - "kind": "event", - "start": "2018-12-10T08:01:54.000Z", "action": "flow-expiration", - "end": "2018-12-11T08:01:53.000Z", "category": [ "network" ], + "code": "302016", + "duration": 122000000000, + "end": "2012-08-15T23:30:09.000Z", + "kind": "event", + "original": "Aug 15 2012 23:30:09: %FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", + "severity": 6, + "start": "2012-08-15T23:28:07.000Z", "type": [ "connection", "end" ] }, - "cisco": { - "ftd": { - "destination_interface": "dmz", - "connection_id": "447237", - "source_interface": "outside" - } - } - }, - { "log": { "level": "informational" }, - "destination": { - "port": 500, - "address": "10.44.2.2", - "ip": "10.44.2.2" - }, - "source": { - "port": 500, - "address": "10.44.4.4", - "ip": "10.44.4.4" - }, - "tags": [ - "preserve_original_event" - ], "network": { "bytes": 1416, "iana_number": "17", "transport": "udp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, "ingress": { "interface": { "name": "outside" @@ -3861,16 +3833,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2012-08-15T23:30:09.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -3878,126 +3841,124 @@ "10.44.2.2" ] }, - "event": { - "severity": 6, - "duration": 122000000000, - "ingested": "2021-12-14T14:37:47.267681428Z", - "original": "Aug 15 2012 23:30:09: %FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", - "code": "302016", - "kind": "event", - "start": "2012-08-15T23:28:07.000Z", - "action": "flow-expiration", - "end": "2012-08-15T23:30:09.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end" - ] + "source": { + "address": "10.44.4.4", + "ip": "10.44.4.4", + "port": 500 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:50:53.000Z", "cisco": { "ftd": { - "destination_interface": "inside", - "connection_id": "40", - "source_interface": "outside" + "source_interface": "Mobile_Traffic" } - } - }, - { - "log": { - "level": "critical" }, "destination": { "address": "192.168.99.47", "ip": "192.168.99.47" }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, + "type": [ + "info", + "denied" + ] + }, + "host": { + "hostname": "GIFRCHN01" + }, + "log": { + "level": "critical" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:50:53.000Z", + "related": { + "hosts": [ + "GIFRCHN01" + ], + "ip": [ + "0.0.0.0", + "192.168.99.47" + ] + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:51:01.000Z", + "cisco": { + "ftd": { + "source_interface": "Mobile_Traffic" + } + }, + "destination": { + "address": "192.168.99.57", + "ip": "192.168.99.57" + }, "ecs": { "version": "1.12.0" }, - "related": { - "hosts": [ - "GIFRCHN01" - ], - "ip": [ - "0.0.0.0", - "192.168.99.47" - ] - }, - "host": { - "hostname": "GIFRCHN01" - }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:37:47.267681774Z", - "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "ftd": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "192.168.99.57", - "ip": "192.168.99.57" - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:51:01.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -4007,61 +3968,60 @@ "192.168.99.57" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:51:05.000Z", + "cisco": { + "ftd": { + "source_interface": "Mobile_Traffic" + } + }, + "destination": { + "address": "192.168.99.47", + "ip": "192.168.99.47" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:37:47.267682101Z", - "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "ftd": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "192.168.99.47", - "ip": "192.168.99.47" - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:51:05.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -4071,61 +4031,60 @@ "192.168.99.47" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:51:05.000Z", + "cisco": { + "ftd": { + "source_interface": "Mobile_Traffic" + } + }, + "destination": { + "address": "192.168.99.47", + "ip": "192.168.99.47" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:37:47.267682433Z", - "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "ftd": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "192.168.99.47", - "ip": "192.168.99.47" - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:51:05.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -4135,61 +4094,60 @@ "192.168.99.47" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:51:06.000Z", + "cisco": { + "ftd": { + "source_interface": "Mobile_Traffic" + } + }, + "destination": { + "address": "192.168.99.57", + "ip": "192.168.99.57" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:37:47.267682759Z", - "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "ftd": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "192.168.99.57", - "ip": "192.168.99.57" - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:51:06.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -4199,61 +4157,60 @@ "192.168.99.57" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:51:17.000Z", + "cisco": { + "ftd": { + "source_interface": "Mobile_Traffic" + } + }, + "destination": { + "address": "192.168.99.57", + "ip": "192.168.99.57" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:37:47.267683158Z", - "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "ftd": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "192.168.99.57", - "ip": "192.168.99.57" - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:51:17.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -4263,61 +4220,60 @@ "192.168.99.57" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:52:48.000Z", + "cisco": { + "ftd": { + "source_interface": "Mobile_Traffic" + } + }, + "destination": { + "address": "192.168.1.255", + "ip": "192.168.1.255" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:37:47.267683489Z", - "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "ftd": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "192.168.1.255", - "ip": "192.168.1.255" - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:52:48.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -4327,61 +4283,60 @@ "192.168.1.255" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:53:00.000Z", + "cisco": { + "ftd": { + "source_interface": "Mobile_Traffic" + } + }, + "destination": { + "address": "192.168.1.255", + "ip": "192.168.1.255" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:37:47.267683817Z", - "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106016", + "kind": "event", + "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "outcome": "failure", + "severity": 2, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "ftd": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "critical" }, - "destination": { - "address": "192.168.1.255", - "ip": "192.168.1.255" - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Mobile_Traffic" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:53:00.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -4391,71 +4346,71 @@ "192.168.1.255" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:53:01.000Z", + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "PERMIT_IN", + "source_interface": "outside" + } + }, + "destination": { + "address": "10.32.112.125", + "ip": "10.32.112.125", + "port": 25 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 2, - "ingested": "2021-12-14T14:37:47.267684153Z", - "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "code": "106016", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "106023", + "kind": "event", + "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "ftd": { - "source_interface": "Mobile_Traffic" - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "port": 25, - "address": "10.32.112.125", - "ip": "10.32.112.125" - }, - "source": { - "port": 24069, - "address": "192.168.2.95", - "ip": "192.168.2.95" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "inside" + } + }, + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "outside" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "inside" - } - } - }, - "@timestamp": "2014-09-12T06:53:01.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -4466,63 +4421,63 @@ "10.32.112.125" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "192.168.2.95", + "ip": "192.168.2.95", + "port": 24069 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2014-09-12T06:53:02.000Z", + "cisco": { + "ftd": { + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "Outside" + } + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:47.267684509Z", - "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", - "code": "106023", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "313001", + "kind": "event", + "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", + "outcome": "failure", + "severity": 3, "type": [ "info", "denied" - ], - "outcome": "failure" + ] + }, + "host": { + "hostname": "GIFRCHN01" }, - "cisco": { - "ftd": { - "destination_interface": "inside", - "rule_name": "PERMIT_IN", - "source_interface": "outside" - } - } - }, - { "log": { "level": "error" }, - "source": { - "address": "10.2.3.5", - "ip": "10.2.3.5" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" }, "observer": { + "hostname": "GIFRCHN01", "ingress": { "interface": { "name": "Outside" } }, - "hostname": "GIFRCHN01", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2014-09-12T06:53:02.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "hosts": [ "GIFRCHN01" @@ -4531,48 +4486,47 @@ "10.2.3.5" ] }, - "host": { - "hostname": "GIFRCHN01" + "source": { + "address": "10.2.3.5", + "ip": "10.2.3.5" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2015-01-14T13:16:13.000Z", + "cisco": { + "ftd": { + "icmp_type": 0, + "source_interface": "inside" + } + }, + "destination": { + "address": "172.16.1.10", + "ip": "172.16.1.10" + }, + "ecs": { + "version": "1.12.0" }, "event": { - "severity": 3, - "ingested": "2021-12-14T14:37:47.267684842Z", - "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", - "code": "313001", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "313004", + "kind": "event", + "original": "Jan 14 2015 13:16:13: %FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", + "outcome": "failure", + "severity": 4, "type": [ "info", "denied" - ], - "outcome": "failure" + ] }, - "cisco": { - "ftd": { - "icmp_type": 3, - "source_interface": "Outside", - "icmp_code": 3 - } - } - }, - { "log": { "level": "warning" }, - "destination": { - "address": "172.16.1.10", - "ip": "172.16.1.10" - }, - "source": { - "address": "172.16.30.2", - "ip": "172.16.30.2" - }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" @@ -4587,69 +4541,70 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2015-01-14T13:16:13.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "172.16.30.2", "172.16.1.10" ] }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:47.267685183Z", - "original": "Jan 14 2015 13:16:13: %FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", - "code": "313004", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "172.16.30.2", + "ip": "172.16.30.2" }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", "cisco": { "ftd": { - "icmp_type": 0, + "destination_interface": "outside", + "mapped_destination_ip": "192.168.99.129", + "mapped_destination_port": 80, + "mapped_source_ip": "192.168.99.1", + "mapped_source_port": 7890, + "rule_name": "dynamic", "source_interface": "inside" } - } - }, - { - "server": { - "domain": "bad.example.com" - }, - "log": { - "level": "warning" }, "destination": { "address": "192.168.99.129", - "port": 80, "domain": "bad.example.com", - "ip": "192.168.99.129" + "ip": "192.168.99.129", + "port": 80 }, - "source": { - "nat": { - "port": 7890, - "ip": "192.168.99.1" - }, - "address": "10.1.1.45", - "port": 6798, - "ip": "10.1.1.45" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "338002", + "kind": "event", + "original": "Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com", + "outcome": "success", + "severity": 4, + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, "ingress": { "interface": { "name": "inside" @@ -4657,16 +4612,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2015-01-14T13:16:14.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "hosts": [ @@ -4678,62 +4624,75 @@ "192.168.99.129" ] }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:47.267685515Z", - "original": "Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com", - "code": "338002", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "allowed" - ], - "outcome": "success" + "server": { + "domain": "bad.example.com" + }, + "source": { + "address": "10.1.1.45", + "ip": "10.1.1.45", + "nat": { + "ip": "192.168.99.1", + "port": 7890 + }, + "port": 6798 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", "cisco": { "ftd": { - "destination_interface": "outside", - "mapped_source_port": 7890, - "mapped_destination_ip": "192.168.99.129", - "mapped_source_ip": "192.168.99.1", + "destination_interface": "outsidet", + "mapped_destination_ip": "192.168.2.225", + "mapped_destination_port": 80, + "mapped_source_ip": "10.2.1.1", + "mapped_source_port": 33340, "rule_name": "dynamic", "source_interface": "inside", - "mapped_destination_port": 80 + "threat_category": "Malware", + "threat_level": "very-high" } - } - }, - { - "log": { - "level": "warning" }, "destination": { + "address": "192.168.2.223", + "ip": "192.168.2.223", "nat": { "ip": "192.168.2.225" }, - "address": "192.168.2.223", - "port": 80, - "ip": "192.168.2.223" + "port": 80 }, - "source": { - "nat": { - "ip": "10.2.1.1" - }, - "address": "10.1.1.1", - "port": 33340, - "ip": "10.1.1.1" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "338004", + "kind": "event", + "original": "Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.225/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "outcome": "monitored", + "severity": 4, + "type": [ + "info" + ] + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outsidet" + } + }, "ingress": { "interface": { "name": "inside" @@ -4741,16 +4700,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outsidet" - } - } - }, - "@timestamp": "2015-01-14T13:16:14.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -4760,63 +4710,72 @@ "192.168.2.225" ] }, - "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:47.267685841Z", - "original": "Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.225/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", - "code": "338004", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info" - ], - "outcome": "monitored" + "source": { + "address": "10.1.1.1", + "ip": "10.1.1.1", + "nat": { + "ip": "10.2.1.1" + }, + "port": 33340 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", "cisco": { "ftd": { "destination_interface": "outsidet", - "mapped_source_port": 33340, - "threat_level": "very-high", - "mapped_destination_ip": "192.168.2.225", + "mapped_destination_ip": "192.168.2.223", + "mapped_destination_port": 8080, "mapped_source_ip": "10.2.1.1", + "mapped_source_port": 33340, "rule_name": "dynamic", "source_interface": "inside", - "mapped_destination_port": 80, - "threat_category": "Malware" + "threat_category": "Malware", + "threat_level": "very-high" } - } - }, - { - "log": { - "level": "warning" }, "destination": { + "address": "192.168.2.223", + "ip": "192.168.2.223", "nat": { "port": 8080 }, - "address": "192.168.2.223", - "port": 80, - "ip": "192.168.2.223" + "port": 80 }, - "source": { - "nat": { - "ip": "10.2.1.1" - }, - "address": "10.1.1.1", - "port": 33340, - "ip": "10.1.1.1" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "338008", + "kind": "event", + "original": "Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/8080), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "outcome": "failure", + "severity": 4, + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "warning" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, "observer": { + "egress": { + "interface": { + "name": "outsidet" + } + }, "ingress": { "interface": { "name": "inside" @@ -4824,16 +4783,7 @@ }, "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outsidet" - } - } - }, - "@timestamp": "2015-01-14T13:16:14.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { "ip": [ @@ -4842,168 +4792,158 @@ "192.168.2.223" ] }, + "source": { + "address": "10.1.1.1", + "ip": "10.1.1.1", + "nat": { + "ip": "10.2.1.1" + }, + "port": 33340 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2009-11-16T14:12:35.000Z", + "cisco": { + "ftd": {} + }, + "destination": { + "address": "192.168.2.1", + "ip": "192.168.2.1" + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 4, - "ingested": "2021-12-14T14:37:47.267686176Z", - "original": "Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/8080), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", - "code": "338008", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "304001", + "kind": "event", + "original": "Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app", + "outcome": "success", + "severity": 5, "type": [ "info", - "denied" - ], - "outcome": "failure" + "allowed" + ] }, - "cisco": { - "ftd": { - "destination_interface": "outsidet", - "mapped_source_port": 33340, - "threat_level": "very-high", - "mapped_destination_ip": "192.168.2.223", - "mapped_source_ip": "10.2.1.1", - "rule_name": "dynamic", - "source_interface": "inside", - "mapped_destination_port": 8080, - "threat_category": "Malware" - } - } - }, - { "log": { "level": "notification" }, - "destination": { - "address": "192.168.2.1", - "ip": "192.168.2.1" + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.30.30.30", + "192.168.2.1" + ] }, "source": { "address": "10.30.30.30", "ip": "10.30.30.30" }, - "url": { - "path": "/app", - "original": "/app" - }, "tags": [ "preserve_original_event" ], - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" + "url": { + "original": "/app", + "path": "/app" + } + }, + { + "@timestamp": "2009-11-16T14:12:36.000Z", + "cisco": { + "ftd": {} + }, + "destination": { + "address": "192.168.2.32", + "ip": "192.168.2.32" }, - "@timestamp": "2009-11-16T14:12:35.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "10.30.30.30", - "192.168.2.1" - ] - }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267686504Z", - "original": "Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app", - "code": "304001", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "304001", + "kind": "event", + "original": "Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com", + "outcome": "success", + "severity": 5, "type": [ "info", "allowed" - ], - "outcome": "success" + ] }, - "cisco": { - "ftd": {} - } - }, - { "log": { "level": "notification" }, - "destination": { - "address": "192.168.2.32", - "ip": "192.168.2.32" + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.5.111.32", + "192.168.2.32" + ] }, "source": { "address": "10.5.111.32", "ip": "10.5.111.32" }, - "url": { - "path": "", - "original": "http://example.com", - "scheme": "http", - "domain": "example.com" - }, "tags": [ "preserve_original_event" ], - "observer": { - "type": "firewall", - "product": "asa", - "vendor": "Cisco" + "url": { + "domain": "example.com", + "original": "http://example.com", + "path": "", + "scheme": "http" + } + }, + { + "@timestamp": "2009-11-16T14:12:37.000Z", + "cisco": { + "ftd": { + "source_interface": "inside" + } + }, + "destination": { + "address": "192.168.0.19", + "ip": "192.168.0.19" }, - "@timestamp": "2009-11-16T14:12:36.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "10.5.111.32", - "192.168.2.32" - ] - }, "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267686830Z", - "original": "Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com", - "code": "304001", - "kind": "event", "action": "firewall-rule", "category": [ "network" ], + "code": "304002", + "kind": "event", + "original": "Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside", + "outcome": "failure", + "severity": 5, "type": [ "info", - "allowed" - ], - "outcome": "success" + "denied" + ] }, - "cisco": { - "ftd": {} - } - }, - { "log": { "level": "notification" }, - "destination": { - "address": "192.168.0.19", - "ip": "192.168.0.19" - }, - "source": { - "address": "10.69.6.39", - "ip": "10.69.6.39" - }, - "url": { - "path": "/images/favicon.ico", - "extension": "ico", - "original": "http://www.example.net/images/favicon.ico", - "scheme": "http", - "domain": "www.example.net" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "ingress": { "interface": { @@ -5014,36 +4954,25 @@ "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2009-11-16T14:12:37.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "10.69.6.39", "192.168.0.19" ] }, - "event": { - "severity": 5, - "ingested": "2021-12-14T14:37:47.267687164Z", - "original": "Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside", - "code": "304002", - "kind": "event", - "action": "firewall-rule", - "category": [ - "network" - ], - "type": [ - "info", - "denied" - ], - "outcome": "failure" + "source": { + "address": "10.69.6.39", + "ip": "10.69.6.39" }, - "cisco": { - "ftd": { - "source_interface": "inside" - } + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.example.net", + "extension": "ico", + "original": "http://www.example.net/images/favicon.ico", + "path": "/images/favicon.ico", + "scheme": "http" } } ] diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json index 9252476ce27..4a2375e634d 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json @@ -1,261 +1,292 @@ { "expected": [ { - "log": { - "level": "alert" + "@timestamp": "2019-08-15T16:03:31.000Z", + "cisco": { + "ftd": { + "destination_interface": "input", + "rule_name": [ + "default", + "Rule-1" + ], + "security": { + "ac_policy": "default", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Rule-1", + "application_protocol": "ICMP", + "client": "ICMP client", + "dst_ip": "10.0.1.20", + "egress_interface": "input", + "egress_zone": "input-zone", + "icmp_code": "No Code", + "icmp_type": "Echo Request", + "ingress_interface": "output", + "ingress_zone": "output-zone", + "initiator_bytes": "98", + "initiator_packets": "1", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "icmp", + "responder_bytes": "0", + "responder_packets": "0", + "src_ip": "10.0.100.30", + "user": "No Authentication Required" + }, + "source_interface": "output" + } }, "destination": { "address": "10.0.1.20", "bytes": 0, - "packets": 0, - "ip": "10.0.1.20" + "ip": "10.0.1.20", + "packets": 0 }, - "source": { - "address": "10.0.100.30", - "bytes": 98, - "packets": 1, - "ip": "10.0.100.30" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-started", + "category": [ + "network" + ], + "code": "430002", + "kind": "event", + "original": "2019-08-15T16:03:31Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", + "outcome": "success", + "severity": 1, + "type": [ + "connection", + "start", + "allowed" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "icmp", - "transport": "icmp", "application": "icmp client", - "iana_number": "1" + "iana_number": "1", + "protocol": "icmp", + "transport": "icmp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "input" + } + }, + "hostname": "firepower", "ingress": { "interface": { "name": "output" } }, - "hostname": "firepower", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "input" - } - } - }, - "@timestamp": "2019-08-15T16:03:31.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "firepower" ], "ip": [ "10.0.100.30", "10.0.1.20" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "firepower" - }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:55.820193450Z", - "original": "2019-08-15T16:03:31Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", - "code": "430002", - "kind": "event", - "action": "connection-started", - "category": [ - "network" - ], - "type": [ - "connection", - "start", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.100.30", + "bytes": 98, + "ip": "10.0.100.30", + "packets": 1 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-15T16:05:33.000Z", "cisco": { "ftd": { "destination_interface": "input", + "rule_name": [ + "default", + "Rule-1" + ], "security": { - "icmp_type": "Echo Request", - "egress_zone": "input-zone", - "responder_packets": "0", + "ac_policy": "default", + "access_control_rule_action": "Allow", "access_control_rule_name": "Rule-1", + "application_protocol": "ICMP", + "client": "ICMP client", + "connection_duration": "0", + "dst_ip": "10.0.1.20", "egress_interface": "input", - "access_control_rule_action": "Allow", - "prefilter_policy": "Default Prefilter Policy", - "nap_policy": "Balanced Security and Connectivity", + "egress_zone": "input-zone", + "icmp_code": "No Code", + "icmp_type": "Echo Request", + "ingress_interface": "output", "ingress_zone": "output-zone", - "dst_ip": "10.0.1.20", - "ac_policy": "default", - "src_ip": "10.0.100.30", - "protocol": "icmp", - "application_protocol": "ICMP", "initiator_bytes": "98", "initiator_packets": "1", - "ingress_interface": "output", - "client": "ICMP client", - "icmp_code": "No Code", - "responder_bytes": "0", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "icmp", + "responder_bytes": "98", + "responder_packets": "1", + "src_ip": "10.0.100.30", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Rule-1" - ], "source_interface": "output" } - } - }, - { - "log": { - "level": "alert" }, "destination": { "address": "10.0.1.20", "bytes": 98, - "packets": 1, - "ip": "10.0.1.20" + "ip": "10.0.1.20", + "packets": 1 }, - "source": { - "address": "10.0.100.30", - "bytes": 98, - "packets": 1, - "ip": "10.0.100.30" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-15T16:05:33.000Z", + "kind": "event", + "original": "2019-08-15T16:05:33Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", + "outcome": "success", + "severity": 1, + "start": "2019-08-15T16:05:33.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "icmp", - "transport": "icmp", "application": "icmp client", - "iana_number": "1" + "iana_number": "1", + "protocol": "icmp", + "transport": "icmp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "input" + } + }, + "hostname": "firepower", "ingress": { "interface": { "name": "output" } }, - "hostname": "firepower", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "input" - } - } - }, - "@timestamp": "2019-08-15T16:05:33.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "firepower" ], "ip": [ "10.0.100.30", "10.0.1.20" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "firepower" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:55.820196341Z", - "original": "2019-08-15T16:05:33Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", - "code": "430003", - "kind": "event", - "start": "2019-08-15T16:05:33.000Z", - "action": "connection-finished", - "end": "2019-08-15T16:05:33.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.100.30", + "bytes": 98, + "ip": "10.0.100.30", + "packets": 1 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-15T16:05:37.000Z", "cisco": { "ftd": { - "destination_interface": "input", + "destination_interface": "outside", + "rule_name": [ + "default", + "Rule-1" + ], "security": { - "icmp_type": "Echo Request", - "egress_zone": "input-zone", - "responder_packets": "1", - "access_control_rule_name": "Rule-1", - "egress_interface": "input", - "access_control_rule_action": "Allow", - "prefilter_policy": "Default Prefilter Policy", - "nap_policy": "Balanced Security and Connectivity", - "ingress_zone": "output-zone", - "dst_ip": "10.0.1.20", "ac_policy": "default", - "src_ip": "10.0.100.30", - "protocol": "icmp", - "application_protocol": "ICMP", - "initiator_bytes": "98", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Rule-1", + "application_protocol": "DNS", + "client": "DNS client", + "dns_query": "eu-central-1.ec2.archive.ubuntu.com", + "dns_record_type": "a host address", + "dst_ip": "81.2.69.144", + "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", + "ingress_interface": "inside", + "ingress_zone": "input-zone", + "initiator_bytes": "106", "initiator_packets": "1", - "connection_duration": "0", - "ingress_interface": "output", - "client": "ICMP client", - "icmp_code": "No Code", - "responder_bytes": "98", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "0", + "responder_packets": "0", + "src_ip": "10.0.1.20", + "src_port": "50074", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Rule-1" - ], - "source_interface": "output" + "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 0, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 0, + "ip": "81.2.69.144", "packets": 0, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -264,136 +295,138 @@ }, "response_code": "NOERROR" }, - "source": { - "address": "10.0.1.20", - "port": 50074, - "bytes": 106, - "packets": 1, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-started", + "category": [ + "network" + ], + "code": "430002", + "kind": "event", + "original": "2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", + "outcome": "success", + "severity": 1, + "type": [ + "connection", + "start", + "allowed" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "firepower", "ingress": { "interface": { "name": "inside" } }, - "hostname": "firepower", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-15T16:05:37.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "firepower" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "firepower" - }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:55.820196817Z", - "original": "2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", - "code": "430002", - "kind": "event", - "action": "connection-started", - "category": [ - "network" - ], - "type": [ - "connection", - "start", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 106, + "ip": "10.0.1.20", + "packets": 1, + "port": 50074 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-15T16:07:00.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Rule-1" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "a host address", - "responder_packets": "0", - "access_control_rule_name": "Rule-1", - "egress_interface": "outside", - "dns_query": "eu-central-1.ec2.archive.ubuntu.com", - "access_control_rule_action": "Allow", - "prefilter_policy": "Default Prefilter Policy", - "nap_policy": "Balanced Security and Connectivity", - "ingress_zone": "input-zone", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_port": "50074", - "src_ip": "10.0.1.20", - "protocol": "udp", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Rule-1", "application_protocol": "DNS", - "initiator_bytes": "106", - "initiator_packets": "1", + "client": "DNS client", + "connection_duration": "0", + "dns_query": "siem-inside", + "dns_record_type": "a host address", + "dns_response_type": "Non-Existent Domain", + "dns_ttl": "86395", + "dst_ip": "81.2.69.144", "dst_port": "53", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "client": "DNS client", - "responder_bytes": "0", + "ingress_zone": "input-zone", + "initiator_bytes": "164", + "initiator_packets": "2", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": "314", + "responder_packets": "2", + "src_ip": "10.0.1.20", + "src_port": "49264", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Rule-1" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 314, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 53, - "bytes": 314, + "ip": "81.2.69.144", "packets": 2, - "ip": "81.2.69.144" + "port": 53 }, "dns": { "question": { @@ -402,933 +435,890 @@ }, "response_code": "NXDOMAIN" }, - "source": { - "address": "10.0.1.20", - "port": 49264, - "bytes": 164, - "packets": 2, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-15T16:07:00.000Z", + "kind": "event", + "original": "2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", + "outcome": "success", + "severity": 1, + "start": "2019-08-15T16:07:00.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "dns", - "transport": "udp", "application": "dns client", - "iana_number": "17" + "iana_number": "17", + "protocol": "dns", + "transport": "udp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "firepower", "ingress": { "interface": { "name": "inside" } }, - "hostname": "firepower", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-15T16:07:00.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "firepower" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "firepower" - }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:55.820197194Z", - "original": "2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", - "code": "430003", - "kind": "event", - "start": "2019-08-15T16:07:00.000Z", - "action": "connection-finished", - "end": "2019-08-15T16:07:00.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 164, + "ip": "10.0.1.20", + "packets": 2, + "port": 49264 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-15T16:07:18.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Rule-1" + ], "security": { - "egress_zone": "output-zone", - "dns_record_type": "a host address", - "responder_packets": "2", - "dns_query": "siem-inside", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "udp", - "application_protocol": "DNS", - "initiator_bytes": "164", - "initiator_packets": "2", - "connection_duration": "0", - "client": "DNS client", + "access_control_rule_action": "Allow", "access_control_rule_name": "Rule-1", + "dst_ip": "81.2.69.144", + "dst_port": "80", "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "src_port": "49264", - "dns_ttl": "86395", - "dst_port": "53", + "egress_zone": "output-zone", "ingress_interface": "inside", - "responder_bytes": "314", - "dns_response_type": "Non-Existent Domain", + "ingress_zone": "input-zone", + "initiator_bytes": "140", + "initiator_packets": "2", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "tcp", + "responder_bytes": "74", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "43228", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Rule-1" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 74, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 80, - "bytes": 74, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 80 }, - "source": { - "address": "10.0.1.20", - "port": 43228, - "bytes": 140, - "packets": 2, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-started", + "category": [ + "network" + ], + "code": "430002", + "kind": "event", + "original": "2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", + "outcome": "success", + "severity": 1, + "type": [ + "connection", + "start", + "allowed" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "alert" }, "network": { "iana_number": "6", "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "firepower", "ingress": { "interface": { "name": "inside" } }, - "hostname": "firepower", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-15T16:07:18.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "firepower" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "firepower" - }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:55.820197552Z", - "original": "2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", - "code": "430002", - "kind": "event", - "action": "connection-started", - "category": [ - "network" - ], - "type": [ - "connection", - "start", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 140, + "ip": "10.0.1.20", + "packets": 2, + "port": 43228 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-15T16:07:19.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Rule-1" + ], "security": { - "egress_zone": "output-zone", - "responder_packets": "1", - "access_control_rule_name": "Rule-1", - "egress_interface": "outside", + "ac_policy": "default", "access_control_rule_action": "Allow", - "prefilter_policy": "Default Prefilter Policy", - "nap_policy": "Balanced Security and Connectivity", - "ingress_zone": "input-zone", + "access_control_rule_name": "Rule-1", + "application_protocol": "HTTP", + "client": "Advanced Packaging Tool", + "client_version": "1.3", + "connection_duration": "1", "dst_ip": "81.2.69.144", - "ac_policy": "default", - "src_port": "43228", - "src_ip": "10.0.1.20", - "protocol": "tcp", - "initiator_bytes": "140", - "initiator_packets": "2", "dst_port": "80", + "egress_interface": "outside", + "egress_zone": "output-zone", + "http_response": "200", "ingress_interface": "inside", - "responder_bytes": "74", - "user": "No Authentication Required" + "ingress_zone": "input-zone", + "initiator_bytes": "97454", + "initiator_packets": "1359", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "tcp", + "referenced_host": "eu-central-1.ec2.archive.ubuntu.com", + "responder_bytes": "41319018", + "responder_packets": "29001", + "src_ip": "10.0.1.20", + "src_port": "43228", + "url": "http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "user": "No Authentication Required", + "user_agent": "Debian APT-HTTP/1.3 (1.6.11)", + "web_application": "Ubuntu" }, - "rule_name": [ - "default", - "Rule-1" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 41319018, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 80, - "bytes": 41319018, + "ip": "81.2.69.144", "packets": 29001, - "ip": "81.2.69.144" - }, - "source": { - "address": "10.0.1.20", - "port": 43228, - "bytes": 97454, - "packets": 1359, - "ip": "10.0.1.20" + "port": 80 }, - "url": { - "path": "/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", - "extension": "deb", - "original": "http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", - "scheme": "http", - "domain": "eu-central-1.ec2.archive.ubuntu.com" + "ecs": { + "version": "1.12.0" }, - "network": { - "protocol": "http", - "transport": "tcp", - "application": [ + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 1000000000, + "end": "2019-08-15T16:07:19.000Z", + "kind": "event", + "original": "2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "outcome": "success", + "severity": 1, + "start": "2019-08-15T16:07:18.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "firepower" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "alert" + }, + "network": { + "application": [ "advanced packaging tool", "ubuntu" ], - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "firepower", "ingress": { "interface": { "name": "inside" } }, - "hostname": "firepower", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-15T16:07:19.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "firepower" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "firepower" - }, - "http": { - "response": { - "status_code": 200 - } + "source": { + "address": "10.0.1.20", + "bytes": 97454, + "ip": "10.0.1.20", + "packets": 1359, + "port": 43228 }, - "event": { - "severity": 1, - "duration": 1000000000, - "ingested": "2021-12-14T14:37:55.820197905Z", - "original": "2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", - "code": "430003", - "kind": "event", - "start": "2019-08-15T16:07:18.000Z", - "action": "connection-finished", - "end": "2019-08-15T16:07:19.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "eu-central-1.ec2.archive.ubuntu.com", + "extension": "deb", + "original": "http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "path": "/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "scheme": "http" }, "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" + "id": "No Authentication Required", + "name": "No Authentication Required" }, + "user_agent": { + "original": "Debian APT-HTTP/1.3 (1.6.11)" + } + }, + { + "@timestamp": "2019-08-16T09:33:15.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Rule-1" + ], "security": { - "http_response": "200", - "egress_zone": "output-zone", - "responder_packets": "29001", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "tcp", - "web_application": "Ubuntu", - "application_protocol": "HTTP", - "initiator_bytes": "97454", - "initiator_packets": "1359", - "connection_duration": "1", - "client": "Advanced Packaging Tool", - "client_version": "1.3", - "referenced_host": "eu-central-1.ec2.archive.ubuntu.com", - "user_agent": "Debian APT-HTTP/1.3 (1.6.11)", + "access_control_rule_action": "Allow", "access_control_rule_name": "Rule-1", - "egress_interface": "outside", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "url": "http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", - "src_port": "43228", + "dst_ip": "81.2.69.144", "dst_port": "80", + "egress_interface": "outside", + "egress_zone": "output-zone", "ingress_interface": "inside", - "responder_bytes": "41319018", + "ingress_zone": "input-zone", + "initiator_bytes": "140", + "initiator_packets": "2", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "tcp", + "responder_bytes": "74", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "46000", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Rule-1" - ], "source_interface": "inside" } }, - "user_agent": { - "original": "Debian APT-HTTP/1.3 (1.6.11)" - } - }, - { - "log": { - "level": "alert" - }, "destination": { + "address": "81.2.69.144", + "bytes": 74, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 80, - "bytes": 74, + "ip": "81.2.69.144", "packets": 1, - "ip": "81.2.69.144" + "port": 80 }, - "source": { - "address": "10.0.1.20", - "port": 46000, - "bytes": 140, - "packets": 2, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-started", + "category": [ + "network" + ], + "code": "430002", + "kind": "event", + "original": "2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", + "outcome": "success", + "severity": 1, + "type": [ + "connection", + "start", + "allowed" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "alert" }, "network": { "iana_number": "6", "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "firepower", "ingress": { "interface": { "name": "inside" } }, - "hostname": "firepower", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-16T09:33:15.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "firepower" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "firepower" - }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:55.820198293Z", - "original": "2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", - "code": "430002", - "kind": "event", - "action": "connection-started", - "category": [ - "network" - ], - "type": [ - "connection", - "start", - "allowed" - ], - "outcome": "success" + "source": { + "address": "10.0.1.20", + "bytes": 140, + "ip": "10.0.1.20", + "packets": 2, + "port": 46000 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-16T09:33:15.000Z", "cisco": { "ftd": { "destination_interface": "outside", + "rule_name": [ + "default", + "Rule-1" + ], "security": { - "egress_zone": "output-zone", - "responder_packets": "1", - "access_control_rule_name": "Rule-1", - "egress_interface": "outside", - "access_control_rule_action": "Allow", - "prefilter_policy": "Default Prefilter Policy", - "nap_policy": "Balanced Security and Connectivity", - "ingress_zone": "input-zone", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_port": "46000", - "src_ip": "10.0.1.20", - "protocol": "tcp", - "initiator_bytes": "140", - "initiator_packets": "2", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Rule-1", + "application_protocol": "HTTP", + "client": "cURL", + "client_version": "7.58.0", + "connection_duration": "0", + "dst_ip": "81.2.69.144", "dst_port": "80", + "egress_interface": "outside", + "egress_zone": "output-zone", + "http_response": "200", "ingress_interface": "inside", - "responder_bytes": "74", - "user": "No Authentication Required" + "ingress_zone": "input-zone", + "initiator_bytes": "503", + "initiator_packets": "6", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "tcp", + "referenced_host": "www.eicar.org", + "responder_bytes": "690", + "responder_packets": "4", + "src_ip": "10.0.1.20", + "src_port": "46000", + "url": "http://www.eicar.org/download/eicar_com.zip", + "user": "No Authentication Required", + "user_agent": "curl/7.58.0" }, - "rule_name": [ - "default", - "Rule-1" - ], "source_interface": "inside" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", + "bytes": 690, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 80, - "bytes": 690, + "ip": "81.2.69.144", "packets": 4, - "ip": "81.2.69.144" + "port": 80 }, - "source": { - "address": "10.0.1.20", - "port": 46000, - "bytes": 503, - "packets": 6, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/download/eicar_com.zip", - "extension": "zip", - "original": "http://www.eicar.org/download/eicar_com.zip", - "scheme": "http", - "domain": "www.eicar.org" + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2019-08-16T09:33:15.000Z", + "kind": "event", + "original": "2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", + "outcome": "success", + "severity": 1, + "start": "2019-08-16T09:33:15.000Z", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "firepower" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "alert" }, "network": { - "protocol": "http", - "transport": "tcp", "application": "curl", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "firepower", "ingress": { "interface": { "name": "inside" } }, - "hostname": "firepower", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "outside" - } - } - }, - "@timestamp": "2019-08-16T09:33:15.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "firepower" ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "firepower" - }, - "http": { - "response": { - "status_code": 200 - } + "source": { + "address": "10.0.1.20", + "bytes": 503, + "ip": "10.0.1.20", + "packets": 6, + "port": 46000 }, - "event": { - "severity": 1, - "duration": 0, - "ingested": "2021-12-14T14:37:55.820198663Z", - "original": "2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", - "code": "430003", - "kind": "event", - "start": "2019-08-16T09:33:15.000Z", - "action": "connection-finished", - "end": "2019-08-16T09:33:15.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.eicar.org", + "extension": "zip", + "original": "http://www.eicar.org/download/eicar_com.zip", + "path": "/download/eicar_com.zip", + "scheme": "http" }, "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" + "id": "No Authentication Required", + "name": "No Authentication Required" }, + "user_agent": { + "original": "curl/7.58.0" + } + }, + { + "@timestamp": "2019-08-16T09:35:15.000Z", "cisco": { "ftd": { - "destination_interface": "outside", + "destination_interface": "input", + "rule_name": [ + "default", + "Block-inbound-ICMP" + ], "security": { - "http_response": "200", - "egress_zone": "output-zone", - "responder_packets": "4", - "access_control_rule_action": "Allow", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "81.2.69.144", "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "tcp", - "application_protocol": "HTTP", - "initiator_bytes": "503", - "initiator_packets": "6", - "connection_duration": "0", - "client": "cURL", - "client_version": "7.58.0", - "referenced_host": "www.eicar.org", - "user_agent": "curl/7.58.0", - "access_control_rule_name": "Rule-1", - "egress_interface": "outside", + "access_control_rule_action": "Block", + "access_control_rule_name": "Block-inbound-ICMP", + "dst_ip": "10.0.1.20", + "egress_interface": "input", + "egress_zone": "input-zone", + "icmp_code": "No Code", + "icmp_type": "Echo Request", + "ingress_interface": "output", + "ingress_zone": "output-zone", + "initiator_bytes": "0", + "initiator_packets": "0", + "nap_policy": "Balanced Security and Connectivity", "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "url": "http://www.eicar.org/download/eicar_com.zip", - "src_port": "46000", - "dst_port": "80", - "ingress_interface": "inside", - "responder_bytes": "690", + "protocol": "icmp", + "responder_bytes": "0", + "responder_packets": "0", + "src_ip": "10.0.100.30", "user": "No Authentication Required" }, - "rule_name": [ - "default", - "Rule-1" - ], - "source_interface": "inside" + "source_interface": "output" } }, - "user_agent": { - "original": "curl/7.58.0" - } - }, - { - "log": { - "level": "alert" - }, "destination": { "address": "10.0.1.20", "bytes": 0, - "packets": 0, - "ip": "10.0.1.20" + "ip": "10.0.1.20", + "packets": 0 }, - "source": { - "address": "10.0.100.30", - "bytes": 0, - "packets": 0, - "ip": "10.0.100.30" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-started", + "category": [ + "network" + ], + "code": "430002", + "kind": "event", + "original": "2019-08-16T09:35:15Z firepower %FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", + "outcome": "block", + "severity": 1, + "type": [ + "connection", + "start", + "denied" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "alert" }, "network": { "iana_number": "1", "transport": "icmp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "input" + } + }, + "hostname": "firepower", "ingress": { "interface": { "name": "output" } }, - "hostname": "firepower", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "input" - } - } - }, - "@timestamp": "2019-08-16T09:35:15.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "firepower" ], "ip": [ "10.0.100.30", "10.0.1.20" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "firepower" - }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:55.820199016Z", - "original": "2019-08-16T09:35:15Z firepower %FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", - "code": "430002", - "kind": "event", - "action": "connection-started", - "category": [ - "network" - ], - "type": [ - "connection", - "start", - "failure" - ], - "outcome": "block" + "source": { + "address": "10.0.100.30", + "bytes": 0, + "ip": "10.0.100.30", + "packets": 0 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-14T15:09:41.000Z", "cisco": { "ftd": { - "destination_interface": "input", + "destination_interface": "output", + "rule_name": [ + "default", + "Intrusion-Rule" + ], "security": { - "icmp_type": "Echo Request", - "egress_zone": "input-zone", - "responder_packets": "0", - "access_control_rule_name": "Block-inbound-ICMP", - "egress_interface": "input", + "ac_policy": "default", "access_control_rule_action": "Block", - "prefilter_policy": "Default Prefilter Policy", + "access_control_rule_name": "Intrusion-Rule", + "access_control_rule_reason": "File Block", + "application_protocol": "HTTP", + "client": "cURL", + "client_version": "7.58.0", + "connection_duration": "1", + "dst_ip": "10.0.100.30", + "dst_port": "8000", + "egress_interface": "output", + "egress_zone": "output-zone", + "file_count": "1", + "http_response": "200", + "ingress_interface": "input", + "ingress_zone": "input-zone", + "initiator_bytes": "365", + "initiator_packets": "4", "nap_policy": "Balanced Security and Connectivity", - "ingress_zone": "output-zone", - "dst_ip": "10.0.1.20", - "ac_policy": "default", - "src_ip": "10.0.100.30", - "protocol": "icmp", - "initiator_bytes": "0", - "initiator_packets": "0", - "ingress_interface": "output", - "icmp_code": "No Code", - "responder_bytes": "0", - "user": "No Authentication Required" + "prefilter_policy": "Default Prefilter Policy", + "protocol": "tcp", + "referenced_host": "10.0.100.30:8000", + "responder_bytes": "1927", + "responder_packets": "7", + "src_ip": "10.0.1.20", + "src_port": "41544", + "url": "http://10.0.100.30:8000/eicar_com.zip", + "user": "No Authentication Required", + "user_agent": "curl/7.58.0" }, - "rule_name": [ - "default", - "Block-inbound-ICMP" - ], - "source_interface": "output" + "source_interface": "input" } - } - }, - { - "log": { - "level": "alert" }, "destination": { "address": "10.0.100.30", - "port": 8000, "bytes": 1927, + "ip": "10.0.100.30", "packets": 7, - "ip": "10.0.100.30" + "port": 8000 }, - "source": { - "address": "10.0.1.20", - "port": 41544, - "bytes": 365, - "packets": 4, - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/eicar_com.zip", - "extension": "zip", - "original": "http://10.0.100.30:8000/eicar_com.zip", - "scheme": "http", - "port": 8000, - "domain": [ - "10.0.100.30", - "10.0.100.30:8000" + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 1000000000, + "end": "2019-08-14T15:09:41.000Z", + "kind": "event", + "original": "Aug 14 2019 15:09:41 siem-ftd %FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip", + "outcome": "block", + "severity": 1, + "start": "2019-08-14T15:09:40.000Z", + "type": [ + "connection", + "end", + "denied" ] }, + "host": { + "hostname": "siem-ftd" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "alert" + }, "network": { - "protocol": "http", - "transport": "tcp", "application": "curl", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "output" + } + }, + "hostname": "siem-ftd", "ingress": { "interface": { "name": "input" } }, - "hostname": "siem-ftd", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "output" - } - } - }, - "@timestamp": "2019-08-14T15:09:41.000Z", - "ecs": { - "version": "1.12.0" + "vendor": "Cisco" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "10.0.100.30" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" - }, - "http": { - "response": { - "status_code": 200 - } + "source": { + "address": "10.0.1.20", + "bytes": 365, + "ip": "10.0.1.20", + "packets": 4, + "port": 41544 }, - "event": { - "severity": 1, - "duration": 1000000000, - "ingested": "2021-12-14T14:37:55.820199375Z", - "original": "Aug 14 2019 15:09:41 siem-ftd %FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip", - "code": "430003", - "kind": "event", - "start": "2019-08-14T15:09:40.000Z", - "action": "connection-finished", - "end": "2019-08-14T15:09:41.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "failure" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": [ + "10.0.100.30", + "10.0.100.30:8000" ], - "outcome": "block" + "extension": "zip", + "original": "http://10.0.100.30:8000/eicar_com.zip", + "path": "/eicar_com.zip", + "port": 8000, + "scheme": "http" }, "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, - "cisco": { - "ftd": { - "destination_interface": "output", - "security": { - "http_response": "200", - "access_control_rule_reason": "File Block", - "egress_zone": "output-zone", - "responder_packets": "7", - "access_control_rule_action": "Block", - "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "10.0.100.30", - "ac_policy": "default", - "src_ip": "10.0.1.20", - "protocol": "tcp", - "application_protocol": "HTTP", - "initiator_bytes": "365", - "initiator_packets": "4", - "connection_duration": "1", - "client": "cURL", - "client_version": "7.58.0", - "referenced_host": "10.0.100.30:8000", - "user_agent": "curl/7.58.0", - "file_count": "1", - "access_control_rule_name": "Intrusion-Rule", - "egress_interface": "output", - "prefilter_policy": "Default Prefilter Policy", - "ingress_zone": "input-zone", - "url": "http://10.0.100.30:8000/eicar_com.zip", - "src_port": "41544", - "dst_port": "8000", - "ingress_interface": "input", - "responder_bytes": "1927", - "user": "No Authentication Required" - }, - "rule_name": [ - "default", - "Intrusion-Rule" - ], - "source_interface": "input" - } + "id": "No Authentication Required", + "name": "No Authentication Required" }, "user_agent": { "original": "curl/7.58.0" diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json index 6f8c8d392e1..4aed1fb4799 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json @@ -1,1122 +1,1112 @@ { "expected": [ { - "log": { - "level": "alert" + "@timestamp": "2019-08-14T14:54:25.000Z", + "cisco": { + "ftd": { + "rule_name": "malware-and-file-policy", + "security": { + "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "10.0.100.30", + "dst_port": "8000", + "file_action": "Detect", + "file_direction": "Download", + "file_name": "exploit.exe", + "file_policy": "malware-and-file-policy", + "file_sandbox_status": "File Size Is Too Small", + "file_type": "ELF", + "first_packet_second": "2019-08-14T14:54:24Z", + "protocol": "tcp", + "src_ip": "10.0.1.20", + "src_port": "41522", + "uri": "http://10.0.100.30:8000/exploit.exe", + "user": "No Authentication Required" + } + } }, "destination": { - "port": 8000, "address": "10.0.100.30", - "ip": "10.0.100.30" + "ip": "10.0.100.30", + "port": 8000 }, - "source": { - "port": 41522, - "address": "10.0.1.20", - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/exploit.exe", - "extension": "exe", - "original": "http://10.0.100.30:8000/exploit.exe", - "scheme": "http", - "port": 8000, - "domain": "10.0.100.30" + "event": { + "action": "file-detected", + "category": [ + "malware" + ], + "code": "430004", + "kind": "alert", + "original": "Aug 14 2019 14:54:25 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:54:24Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", + "severity": 1, + "start": "2019-08-14T14:54:24Z", + "type": [ + "info" + ] + }, + "file": { + "name": "exploit.exe" + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "http", - "transport": "tcp", "application": "curl", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "file": { - "name": "exploit.exe" - }, - "@timestamp": "2019-08-14T14:54:25.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "10.0.100.30" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 41522 }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:57.970772097Z", - "original": "Aug 14 2019 14:54:25 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:54:24Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", - "code": "430004", - "kind": "alert", - "start": "2019-08-14T14:54:24Z", - "action": "file-detected", - "category": [ - "malware" - ], - "type": [ - "info" - ] + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "10.0.100.30", + "extension": "exe", + "original": "http://10.0.100.30:8000/exploit.exe", + "path": "/exploit.exe", + "port": 8000, + "scheme": "http" }, "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-14T14:55:02.000Z", "cisco": { "ftd": { "rule_name": "malware-and-file-policy", "security": { - "file_policy": "malware-and-file-policy", - "file_name": "exploit.exe", - "file_action": "Detect", - "first_packet_second": "2019-08-14T14:54:24Z", - "file_sandbox_status": "File Size Is Too Small", - "uri": "http://10.0.100.30:8000/exploit.exe", - "dst_ip": "10.0.100.30", - "src_port": "41522", - "src_ip": "10.0.1.20", - "protocol": "tcp", "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "10.0.100.30", + "dst_port": "8000", + "file_action": "Detect", "file_direction": "Download", + "file_name": "exploit.exe", + "file_policy": "malware-and-file-policy", + "file_sandbox_status": "File Size Is Too Small", "file_type": "ELF", - "dst_port": "8000", - "client": "cURL", + "first_packet_second": "2019-08-14T14:55:01Z", + "protocol": "tcp", + "src_ip": "10.0.1.20", + "src_port": "41526", + "uri": "http://10.0.100.30:8000/exploit.exe", "user": "No Authentication Required" } } - } - }, - { - "log": { - "level": "alert" }, "destination": { - "port": 8000, "address": "10.0.100.30", - "ip": "10.0.100.30" + "ip": "10.0.100.30", + "port": 8000 }, - "source": { - "port": 41526, - "address": "10.0.1.20", - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/exploit.exe", - "extension": "exe", - "original": "http://10.0.100.30:8000/exploit.exe", - "scheme": "http", - "port": 8000, - "domain": "10.0.100.30" + "event": { + "action": "file-detected", + "category": [ + "malware" + ], + "code": "430004", + "kind": "alert", + "original": "Aug 14 2019 14:55:02 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41526, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:55:01Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", + "severity": 1, + "start": "2019-08-14T14:55:01Z", + "type": [ + "info" + ] + }, + "file": { + "name": "exploit.exe" + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "http", - "transport": "tcp", "application": "curl", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "file": { - "name": "exploit.exe" - }, - "@timestamp": "2019-08-14T14:55:02.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "10.0.100.30" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 41526 }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:57.970775122Z", - "original": "Aug 14 2019 14:55:02 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41526, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:55:01Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", - "code": "430004", - "kind": "alert", - "start": "2019-08-14T14:55:01Z", - "action": "file-detected", - "category": [ - "malware" - ], - "type": [ - "info" - ] + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "10.0.100.30", + "extension": "exe", + "original": "http://10.0.100.30:8000/exploit.exe", + "path": "/exploit.exe", + "port": 8000, + "scheme": "http" }, "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-14T15:00:29.000Z", "cisco": { "ftd": { "rule_name": "malware-and-file-policy", "security": { - "file_policy": "malware-and-file-policy", - "file_name": "exploit.exe", + "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "10.0.100.30", + "dst_port": "8000", "file_action": "Detect", - "first_packet_second": "2019-08-14T14:55:01Z", + "file_direction": "Download", + "file_name": "eicar.com", + "file_policy": "malware-and-file-policy", "file_sandbox_status": "File Size Is Too Small", - "uri": "http://10.0.100.30:8000/exploit.exe", - "dst_ip": "10.0.100.30", - "src_port": "41526", - "src_ip": "10.0.1.20", + "file_type": "EICAR", + "first_packet_second": "2019-08-14T15:00:27Z", "protocol": "tcp", - "application_protocol": "HTTP", - "file_direction": "Download", - "file_type": "ELF", - "dst_port": "8000", - "client": "cURL", + "src_ip": "10.0.1.20", + "src_port": "41530", + "uri": "http://10.0.100.30:8000/eicar.com", "user": "No Authentication Required" } } - } - }, - { - "log": { - "level": "alert" }, "destination": { - "port": 8000, "address": "10.0.100.30", - "ip": "10.0.100.30" + "ip": "10.0.100.30", + "port": 8000 }, - "source": { - "port": 41530, - "address": "10.0.1.20", - "ip": "10.0.1.20" - }, - "url": { - "path": "/eicar.com", - "extension": "com", - "original": "http://10.0.100.30:8000/eicar.com", - "scheme": "http", - "port": 8000, - "domain": "10.0.100.30" + "ecs": { + "version": "1.12.0" }, - "network": { - "protocol": "http", - "transport": "tcp", + "event": { + "action": "file-detected", + "category": [ + "malware" + ], + "code": "430004", + "kind": "alert", + "original": "Aug 14 2019 15:00:29 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41530, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:00:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com", + "severity": 1, + "start": "2019-08-14T15:00:27Z", + "type": [ + "info" + ] + }, + "file": { + "name": "eicar.com" + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" + }, + "network": { "application": "curl", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "file": { - "name": "eicar.com" - }, - "@timestamp": "2019-08-14T15:00:29.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "10.0.100.30" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 41530 }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:57.970775631Z", - "original": "Aug 14 2019 15:00:29 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41530, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:00:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com", - "code": "430004", - "kind": "alert", - "start": "2019-08-14T15:00:27Z", - "action": "file-detected", - "category": [ - "malware" - ], - "type": [ - "info" - ] + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "10.0.100.30", + "extension": "com", + "original": "http://10.0.100.30:8000/eicar.com", + "path": "/eicar.com", + "port": 8000, + "scheme": "http" }, "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-14T15:01:41.000Z", "cisco": { "ftd": { "rule_name": "malware-and-file-policy", "security": { - "file_policy": "malware-and-file-policy", - "file_name": "eicar.com", - "file_action": "Detect", - "first_packet_second": "2019-08-14T15:00:27Z", - "file_sandbox_status": "File Size Is Too Small", - "uri": "http://10.0.100.30:8000/eicar.com", - "dst_ip": "10.0.100.30", - "src_port": "41530", - "src_ip": "10.0.1.20", - "protocol": "tcp", "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "10.0.100.30", + "dst_port": "8000", + "file_action": "Detect", "file_direction": "Download", + "file_name": "eicar.com.txt", + "file_policy": "malware-and-file-policy", + "file_sandbox_status": "File Size Is Too Small", "file_type": "EICAR", - "dst_port": "8000", - "client": "cURL", + "first_packet_second": "2019-08-14T15:01:40Z", + "protocol": "tcp", + "src_ip": "10.0.1.20", + "src_port": "41534", + "uri": "http://10.0.100.30:8000/eicar.com.txt", "user": "No Authentication Required" } } - } - }, - { - "log": { - "level": "alert" }, "destination": { - "port": 8000, "address": "10.0.100.30", - "ip": "10.0.100.30" + "ip": "10.0.100.30", + "port": 8000 }, - "source": { - "port": 41534, - "address": "10.0.1.20", - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/eicar.com.txt", - "extension": "txt", - "original": "http://10.0.100.30:8000/eicar.com.txt", - "scheme": "http", - "port": 8000, - "domain": "10.0.100.30" + "event": { + "action": "file-detected", + "category": [ + "malware" + ], + "code": "430004", + "kind": "alert", + "original": "Aug 14 2019 15:01:41 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41534, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com.txt, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:01:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com.txt", + "severity": 1, + "start": "2019-08-14T15:01:40Z", + "type": [ + "info" + ] + }, + "file": { + "name": "eicar.com.txt" + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "http", - "transport": "tcp", "application": "curl", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "file": { - "name": "eicar.com.txt" - }, - "@timestamp": "2019-08-14T15:01:41.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "siem-ftd" ], "ip": [ "10.0.1.20", "10.0.100.30" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 41534 }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:57.970776033Z", - "original": "Aug 14 2019 15:01:41 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41534, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com.txt, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:01:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com.txt", - "code": "430004", - "kind": "alert", - "start": "2019-08-14T15:01:40Z", - "action": "file-detected", - "category": [ - "malware" - ], - "type": [ - "info" - ] + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "10.0.100.30", + "extension": "txt", + "original": "http://10.0.100.30:8000/eicar.com.txt", + "path": "/eicar.com.txt", + "port": 8000, + "scheme": "http" }, "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-14T15:03:28.000Z", "cisco": { "ftd": { "rule_name": "malware-and-file-policy", "security": { - "file_policy": "malware-and-file-policy", - "file_name": "eicar.com.txt", + "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "10.0.100.30", + "dst_port": "8000", "file_action": "Detect", - "first_packet_second": "2019-08-14T15:01:40Z", + "file_direction": "Download", + "file_name": "eicar_com.zip", + "file_policy": "malware-and-file-policy", "file_sandbox_status": "File Size Is Too Small", - "uri": "http://10.0.100.30:8000/eicar.com.txt", - "dst_ip": "10.0.100.30", - "src_port": "41534", - "src_ip": "10.0.1.20", + "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "file_size": "184", + "file_type": "ZIP", + "first_packet_second": "2019-08-14T15:03:27Z", "protocol": "tcp", - "application_protocol": "HTTP", - "file_direction": "Download", - "file_type": "EICAR", - "dst_port": "8000", - "client": "cURL", + "src_ip": "10.0.1.20", + "src_port": "41540", + "threat_name": "Unknown", + "uri": "http://10.0.100.30:8000/eicar_com.zip", "user": "No Authentication Required" - } + }, + "threat_category": "Unknown" } - } - }, - { - "log": { - "level": "alert" }, "destination": { - "port": 8000, "address": "10.0.100.30", - "ip": "10.0.100.30" + "ip": "10.0.100.30", + "port": 8000 }, - "source": { - "port": 41540, - "address": "10.0.1.20", - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/eicar_com.zip", - "extension": "zip", - "original": "http://10.0.100.30:8000/eicar_com.zip", - "scheme": "http", - "port": 8000, - "domain": "10.0.100.30" + "event": { + "action": "file-detected", + "category": [ + "malware" + ], + "code": "430004", + "kind": "alert", + "original": "Aug 14 2019 15:03:28 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", + "severity": 1, + "start": "2019-08-14T15:03:27Z", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + }, + "name": "eicar_com.zip", + "size": 184 + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "http", - "transport": "tcp", "application": "curl", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "file": { - "size": 184, - "name": "eicar_com.zip", - "hash": { - "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - } - }, - "@timestamp": "2019-08-14T15:03:28.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "No Authentication Required" + "hash": [ + "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], "hosts": [ "siem-ftd" ], - "hash": [ - "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - ], "ip": [ "10.0.1.20", "10.0.100.30" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 41540 }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:57.970776412Z", - "original": "Aug 14 2019 15:03:28 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", - "code": "430004", - "kind": "alert", - "start": "2019-08-14T15:03:27Z", - "action": "file-detected", - "category": [ - "malware" - ], - "type": [ - "info" - ] + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "10.0.100.30", + "extension": "zip", + "original": "http://10.0.100.30:8000/eicar_com.zip", + "path": "/eicar_com.zip", + "port": 8000, + "scheme": "http" }, "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-14T15:03:33.000Z", "cisco": { "ftd": { "rule_name": "malware-and-file-policy", "security": { - "file_policy": "malware-and-file-policy", - "file_name": "eicar_com.zip", + "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "10.0.100.30", + "dst_port": "8000", "file_action": "Detect", - "first_packet_second": "2019-08-14T15:03:27Z", + "file_direction": "Download", + "file_name": "eicar_com.zip", + "file_policy": "malware-and-file-policy", "file_sandbox_status": "File Size Is Too Small", - "uri": "http://10.0.100.30:8000/eicar_com.zip", "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", - "dst_ip": "10.0.100.30", "file_size": "184", - "src_port": "41540", - "src_ip": "10.0.1.20", + "file_type": "ZIP", + "first_packet_second": "2019-08-14T15:03:31Z", "protocol": "tcp", - "application_protocol": "HTTP", + "src_ip": "10.0.1.20", + "src_port": "41542", "threat_name": "Unknown", - "file_direction": "Download", - "file_type": "ZIP", - "dst_port": "8000", - "client": "cURL", + "uri": "http://10.0.100.30:8000/eicar_com.zip", "user": "No Authentication Required" }, "threat_category": "Unknown" } - } - }, - { - "log": { - "level": "alert" }, "destination": { - "port": 8000, "address": "10.0.100.30", - "ip": "10.0.100.30" + "ip": "10.0.100.30", + "port": 8000 }, - "source": { - "port": 41542, - "address": "10.0.1.20", - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/eicar_com.zip", - "extension": "zip", - "original": "http://10.0.100.30:8000/eicar_com.zip", - "scheme": "http", - "port": 8000, - "domain": "10.0.100.30" + "event": { + "action": "file-detected", + "category": [ + "malware" + ], + "code": "430004", + "kind": "alert", + "original": "Aug 14 2019 15:03:33 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", + "severity": 1, + "start": "2019-08-14T15:03:31Z", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + }, + "name": "eicar_com.zip", + "size": 184 + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "http", - "transport": "tcp", "application": "curl", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "file": { - "size": 184, - "name": "eicar_com.zip", - "hash": { - "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - } - }, - "@timestamp": "2019-08-14T15:03:33.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "No Authentication Required" + "hash": [ + "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], "hosts": [ "siem-ftd" ], - "hash": [ - "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - ], "ip": [ "10.0.1.20", "10.0.100.30" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 41542 }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:57.970776808Z", - "original": "Aug 14 2019 15:03:33 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", - "code": "430004", - "kind": "alert", - "start": "2019-08-14T15:03:31Z", - "action": "file-detected", - "category": [ - "malware" - ], - "type": [ - "info" - ] + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "10.0.100.30", + "extension": "zip", + "original": "http://10.0.100.30:8000/eicar_com.zip", + "path": "/eicar_com.zip", + "port": 8000, + "scheme": "http" }, "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-14T15:09:43.000Z", "cisco": { "ftd": { "rule_name": "malware-and-file-policy", "security": { - "file_policy": "malware-and-file-policy", + "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "10.0.100.30", + "dst_port": "8000", + "file_action": "Malware Block", + "file_direction": "Download", "file_name": "eicar_com.zip", - "file_action": "Detect", - "first_packet_second": "2019-08-14T15:03:31Z", + "file_policy": "malware-and-file-policy", "file_sandbox_status": "File Size Is Too Small", - "uri": "http://10.0.100.30:8000/eicar_com.zip", "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", - "dst_ip": "10.0.100.30", "file_size": "184", - "src_port": "41542", - "src_ip": "10.0.1.20", - "protocol": "tcp", - "application_protocol": "HTTP", - "threat_name": "Unknown", - "file_direction": "Download", "file_type": "ZIP", - "dst_port": "8000", - "client": "cURL", + "first_packet_second": "2019-08-14T15:09:40Z", + "protocol": "tcp", + "sha_disposition": "Malware", + "spero_disposition": "Spero detection not performed on file", + "src_ip": "10.0.1.20", + "src_port": "41544", + "threat_name": "Win.Ransomware.Eicar::95.sbx.tg", + "threat_score": "76", + "uri": "http://10.0.100.30:8000/eicar_com.zip", "user": "No Authentication Required" }, - "threat_category": "Unknown" + "threat_category": "Win.Ransomware.Eicar::95.sbx.tg", + "threat_level": "76" } - } - }, - { - "log": { - "level": "alert" }, "destination": { - "port": 8000, "address": "10.0.100.30", - "ip": "10.0.100.30" + "ip": "10.0.100.30", + "port": 8000 }, - "source": { - "port": 41544, - "address": "10.0.1.20", - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/eicar_com.zip", - "extension": "zip", - "original": "http://10.0.100.30:8000/eicar_com.zip", - "scheme": "http", - "port": 8000, - "domain": "10.0.100.30" + "event": { + "action": "malware-detected", + "category": [ + "malware" + ], + "code": "430005", + "kind": "alert", + "original": "Aug 14 2019 15:09:43 siem-ftd %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", + "severity": 1, + "start": "2019-08-14T15:09:40Z", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + }, + "name": "eicar_com.zip", + "size": 184 + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "http", - "transport": "tcp", "application": "curl", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "file": { - "size": 184, - "name": "eicar_com.zip", - "hash": { - "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - } - }, - "@timestamp": "2019-08-14T15:09:43.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "No Authentication Required" - ], - "hosts": [ - "siem-ftd" - ], "hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], + "hosts": [ + "siem-ftd" + ], "ip": [ "10.0.1.20", "10.0.100.30" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "siem-ftd" + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 41544 }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:57.970777205Z", - "original": "Aug 14 2019 15:09:43 siem-ftd %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", - "code": "430005", - "kind": "alert", - "start": "2019-08-14T15:09:40Z", - "action": "malware-detected", - "category": [ - "malware" - ], - "type": [ - "info" - ] + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "10.0.100.30", + "extension": "zip", + "original": "http://10.0.100.30:8000/eicar_com.zip", + "path": "/eicar_com.zip", + "port": 8000, + "scheme": "http" }, "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-16T09:39:03.000Z", "cisco": { "ftd": { - "threat_level": "76", + "rule_name": "malware-and-file-policy", "security": { - "file_policy": "malware-and-file-policy", - "sha_disposition": "Malware", + "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "81.2.69.144", + "dst_port": "80", + "file_action": "Malware Cloud Lookup", + "file_direction": "Download", "file_name": "eicar_com.zip", - "file_action": "Malware Block", - "spero_disposition": "Spero detection not performed on file", - "first_packet_second": "2019-08-14T15:09:40Z", + "file_policy": "malware-and-file-policy", "file_sandbox_status": "File Size Is Too Small", - "threat_score": "76", - "uri": "http://10.0.100.30:8000/eicar_com.zip", "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", - "dst_ip": "10.0.100.30", "file_size": "184", - "src_port": "41544", - "src_ip": "10.0.1.20", + "file_storage_status": "Not Stored (Disposition Was Pending)", + "file_type": "ZIP", + "first_packet_second": "2019-08-16T09:39:02Z", "protocol": "tcp", - "application_protocol": "HTTP", + "sha_disposition": "Unavailable", + "spero_disposition": "Spero detection not performed on file", + "src_ip": "10.0.1.20", + "src_port": "46004", "threat_name": "Win.Ransomware.Eicar::95.sbx.tg", - "file_direction": "Download", - "file_type": "ZIP", - "dst_port": "8000", - "client": "cURL", + "uri": "http://www.eicar.org/download/eicar_com.zip", "user": "No Authentication Required" }, - "rule_name": "malware-and-file-policy", "threat_category": "Win.Ransomware.Eicar::95.sbx.tg" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 80, - "ip": "81.2.69.144" + "ip": "81.2.69.144", + "port": 80 }, - "source": { - "port": 46004, - "address": "10.0.1.20", - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/download/eicar_com.zip", - "extension": "zip", - "original": "http://www.eicar.org/download/eicar_com.zip", - "scheme": "http", - "domain": "www.eicar.org" + "event": { + "action": "malware-detected", + "category": [ + "malware" + ], + "code": "430005", + "kind": "alert", + "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", + "severity": 1, + "start": "2019-08-16T09:39:02Z", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + }, + "name": "eicar_com.zip", + "size": 184 + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "http", - "transport": "tcp", "application": "curl", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "firepower", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "file": { - "size": 184, - "name": "eicar_com.zip", - "hash": { - "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - } - }, - "@timestamp": "2019-08-16T09:39:03.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "No Authentication Required" + "hash": [ + "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], "hosts": [ "firepower" ], - "hash": [ - "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "firepower" + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 46004 }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:57.970777576Z", - "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", - "code": "430005", - "kind": "alert", - "start": "2019-08-16T09:39:02Z", - "action": "malware-detected", - "category": [ - "malware" - ], - "type": [ - "info" - ] + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.eicar.org", + "extension": "zip", + "original": "http://www.eicar.org/download/eicar_com.zip", + "path": "/download/eicar_com.zip", + "scheme": "http" }, "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-16T09:40:45.000Z", "cisco": { "ftd": { "rule_name": "malware-and-file-policy", "security": { + "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "10.0.100.30", + "dst_port": "80", + "file_action": "Malware Cloud Lookup", + "file_direction": "Download", + "file_name": "dd3dee576d0cb4abfed00f97f0c71c1d", "file_policy": "malware-and-file-policy", + "file_sandbox_status": "Sent for Analysis", + "file_sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7", + "file_size": "278987", + "file_storage_status": "Not Stored (Disposition Was Pending)", + "file_type": "PDF", + "first_packet_second": "2019-08-16T09:40:45Z", + "protocol": "tcp", "sha_disposition": "Unavailable", - "file_name": "eicar_com.zip", - "file_action": "Malware Cloud Lookup", "spero_disposition": "Spero detection not performed on file", - "first_packet_second": "2019-08-16T09:39:02Z", - "file_sandbox_status": "File Size Is Too Small", - "uri": "http://www.eicar.org/download/eicar_com.zip", - "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", - "dst_ip": "81.2.69.144", - "file_size": "184", - "src_port": "46004", "src_ip": "10.0.1.20", - "file_storage_status": "Not Stored (Disposition Was Pending)", - "protocol": "tcp", - "application_protocol": "HTTP", - "threat_name": "Win.Ransomware.Eicar::95.sbx.tg", - "file_direction": "Download", - "file_type": "ZIP", - "dst_port": "80", - "client": "cURL", + "src_port": "55378", + "threat_name": "Unknown", + "uri": "http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "user": "No Authentication Required" }, - "threat_category": "Win.Ransomware.Eicar::95.sbx.tg" + "threat_category": "Unknown" } - } - }, - { - "log": { - "level": "alert" }, "destination": { - "port": 80, "address": "10.0.100.30", - "ip": "10.0.100.30" + "ip": "10.0.100.30", + "port": 80 }, - "source": { - "port": 55378, - "address": "10.0.1.20", - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", - "original": "http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", - "scheme": "http", - "domain": "10.0.100.30" + "event": { + "action": "malware-detected", + "category": [ + "malware" + ], + "code": "430005", + "kind": "alert", + "original": "2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "severity": 1, + "start": "2019-08-16T09:40:45Z", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" + }, + "name": "dd3dee576d0cb4abfed00f97f0c71c1d", + "size": 278987 + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "http", - "transport": "tcp", "application": "curl", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "firepower", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "file": { - "size": 278987, - "name": "dd3dee576d0cb4abfed00f97f0c71c1d", - "hash": { - "sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" - } - }, - "@timestamp": "2019-08-16T09:40:45.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "No Authentication Required" + "hash": [ + "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], "hosts": [ "firepower" ], - "hash": [ - "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" - ], "ip": [ "10.0.1.20", "10.0.100.30" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "firepower" + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 55378 }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:57.970777954Z", - "original": "2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", - "code": "430005", - "kind": "alert", - "start": "2019-08-16T09:40:45Z", - "action": "malware-detected", - "category": [ - "malware" - ], - "type": [ - "info" - ] + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "10.0.100.30", + "original": "http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "path": "/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "scheme": "http" }, "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, + "id": "No Authentication Required", + "name": "No Authentication Required" + } + }, + { + "@timestamp": "2019-08-16T09:42:07.000Z", "cisco": { "ftd": { "rule_name": "malware-and-file-policy", "security": { - "file_policy": "malware-and-file-policy", - "sha_disposition": "Unavailable", - "file_name": "dd3dee576d0cb4abfed00f97f0c71c1d", + "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "81.2.69.144", + "dst_port": "80", "file_action": "Malware Cloud Lookup", - "spero_disposition": "Spero detection not performed on file", - "first_packet_second": "2019-08-16T09:40:45Z", - "file_sandbox_status": "Sent for Analysis", - "uri": "http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "file_direction": "Download", + "file_name": "dd3dee576d0cb4abfed00f97f0c71c1d", + "file_policy": "malware-and-file-policy", + "file_sandbox_status": "Failed to Send", "file_sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7", - "dst_ip": "10.0.100.30", "file_size": "278987", - "src_port": "55378", - "src_ip": "10.0.1.20", - "file_storage_status": "Not Stored (Disposition Was Pending)", - "protocol": "tcp", - "application_protocol": "HTTP", - "threat_name": "Unknown", - "file_direction": "Download", "file_type": "PDF", - "dst_port": "80", - "client": "cURL", + "first_packet_second": "2019-08-16T09:42:06Z", + "protocol": "tcp", + "sha_disposition": "Malware", + "spero_disposition": "Spero detection not performed on file", + "src_ip": "10.0.1.20", + "src_port": "47926", + "threat_name": "Pdf.Exploit.Pdfka::100.sbx.tg", + "threat_score": "100", + "uri": "http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "user": "No Authentication Required" }, - "threat_category": "Unknown" + "threat_category": "Pdf.Exploit.Pdfka::100.sbx.tg", + "threat_level": "100" } - } - }, - { - "log": { - "level": "alert" }, "destination": { + "address": "81.2.69.144", "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 80, - "ip": "81.2.69.144" + "ip": "81.2.69.144", + "port": 80 }, - "source": { - "port": 47926, - "address": "10.0.1.20", - "ip": "10.0.1.20" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", - "original": "http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", - "scheme": "http", - "domain": "81.2.69.144" + "event": { + "action": "malware-detected", + "category": [ + "malware" + ], + "code": "430005", + "kind": "alert", + "original": "2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "severity": 1, + "start": "2019-08-16T09:42:06Z", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" + }, + "name": "dd3dee576d0cb4abfed00f97f0c71c1d", + "size": 278987 + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "alert" }, "network": { - "protocol": "http", - "transport": "tcp", "application": "curl", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "firepower", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "file": { - "size": 278987, - "name": "dd3dee576d0cb4abfed00f97f0c71c1d", - "hash": { - "sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" - } - }, - "@timestamp": "2019-08-16T09:42:07.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { - "user": [ - "No Authentication Required" + "hash": [ + "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], "hosts": [ "firepower" ], - "hash": [ - "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" - ], "ip": [ "10.0.1.20", "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "firepower" + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 47926 }, - "event": { - "severity": 1, - "ingested": "2021-12-14T14:37:57.970778340Z", - "original": "2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", - "code": "430005", - "kind": "alert", - "start": "2019-08-16T09:42:06Z", - "action": "malware-detected", - "category": [ - "malware" - ], - "type": [ - "info" - ] + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "81.2.69.144", + "original": "http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "path": "/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "scheme": "http" }, "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, - "cisco": { - "ftd": { - "threat_level": "100", - "security": { - "file_policy": "malware-and-file-policy", - "sha_disposition": "Malware", - "file_name": "dd3dee576d0cb4abfed00f97f0c71c1d", - "file_action": "Malware Cloud Lookup", - "spero_disposition": "Spero detection not performed on file", - "first_packet_second": "2019-08-16T09:42:06Z", - "file_sandbox_status": "Failed to Send", - "threat_score": "100", - "uri": "http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", - "file_sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7", - "dst_ip": "81.2.69.144", - "file_size": "278987", - "src_port": "47926", - "src_ip": "10.0.1.20", - "protocol": "tcp", - "application_protocol": "HTTP", - "threat_name": "Pdf.Exploit.Pdfka::100.sbx.tg", - "file_direction": "Download", - "file_type": "PDF", - "dst_port": "80", - "client": "cURL", - "user": "No Authentication Required" - }, - "rule_name": "malware-and-file-policy", - "threat_category": "Pdf.Exploit.Pdfka::100.sbx.tg" - } + "id": "No Authentication Required", + "name": "No Authentication Required" } } ] diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json index 8c8efc22583..9c785665b12 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json @@ -1,173 +1,172 @@ { "expected": [ { - "process": { - "name": "Alerts" - }, - "log": { - "level": "unknown" + "@timestamp": "2020-03-01T01:02:36.000Z", + "cisco": { + "ftd": { + "destination_interface": "s1p2", + "rule_name": [ + "COOL-POLICY-3D", + "Inside DMZ-Rule-Inline" + ], + "security": { + "ac_policy": "COOL-POLICY-3D", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Inside DMZ-Rule-Inline", + "access_control_rule_reason": "IP Monitor", + "application_protocol": "HTTP", + "client": "Chrome", + "client_version": "80.0.3987.87", + "connection_duration": "20", + "dst_ip": "81.2.69.144", + "dst_port": "80", + "egress_interface": "s1p2", + "egress_zone": "Inside-DMZ-Interface-Inline", + "http_referer": "http://eyedropper-color-pick.info/mk?c=1581483445764", + "ingress_interface": "s1p1", + "ingress_zone": "Inside-DMZ-Interface-Inline", + "initiator_bytes": "729", + "initiator_packets": "4", + "ip_reputation_si_category": "Malware", + "nap_policy": "State-Backbone", + "prefilter_policy": "Unknown", + "protocol": "tcp", + "referenced_host": "eyedropper-color-pick.info", + "responder_bytes": "246", + "responder_packets": "4", + "sec_int_matching_ip": "Destination", + "src_ip": "81.2.69.144", + "src_port": "65090", + "url": "http://bad-malwaresite-grr.info/favicon.ico", + "user": "No Authentication Required", + "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36" + }, + "source_interface": "s1p1" + } }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", - "location": { - "lon": -0.0931, - "lat": 51.5142 - } - }, "address": "81.2.69.144", - "port": 80, "bytes": 246, - "packets": 4, - "ip": "81.2.69.144" - }, - "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 65090, - "bytes": 729, + "ip": "81.2.69.144", "packets": 4, - "ip": "81.2.69.144" + "port": 80 }, - "url": { - "path": "/favicon.ico", - "extension": "ico", - "original": "http://bad-malwaresite-grr.info/favicon.ico", - "scheme": "http", - "domain": [ - "bad-malwaresite-grr.info", - "eyedropper-color-pick.info" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 20000000000, + "end": "2020-03-01T01:02:36.000Z", + "kind": "event", + "original": "2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 81.2.69.144, DstIP: 81.2.69.144, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", + "outcome": "success", + "severity": 0, + "start": "2020-03-01T01:02:16.000Z", + "type": [ + "connection", + "end", + "allowed" ] }, + "host": { + "hostname": "CISCO-SENSOR-3D" + }, + "http": { + "request": { + "referrer": "http://eyedropper-color-pick.info/mk?c=1581483445764" + } + }, + "log": { + "level": "unknown" + }, "network": { - "protocol": "http", - "transport": "tcp", "application": "chrome", - "iana_number": "6" + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, - "tags": [ - "preserve_original_event" - ], "observer": { + "egress": { + "interface": { + "name": "s1p2" + } + }, + "hostname": "CISCO-SENSOR-3D", "ingress": { "interface": { "name": "s1p1" } }, - "hostname": "CISCO-SENSOR-3D", "product": "asa", "type": "firewall", - "vendor": "Cisco", - "egress": { - "interface": { - "name": "s1p2" - } - } + "vendor": "Cisco" }, - "@timestamp": "2020-03-01T01:02:36.000Z", - "ecs": { - "version": "1.12.0" + "process": { + "name": "Alerts" }, "related": { - "user": [ - "No Authentication Required" - ], "hosts": [ "CISCO-SENSOR-3D" ], "ip": [ "81.2.69.144" + ], + "user": [ + "No Authentication Required" ] }, - "host": { - "hostname": "CISCO-SENSOR-3D" - }, - "http": { - "request": { - "referrer": "http://eyedropper-color-pick.info/mk?c=1581483445764" - } + "source": { + "address": "81.2.69.144", + "bytes": 729, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "packets": 4, + "port": 65090 }, - "event": { - "severity": 0, - "duration": 20000000000, - "ingested": "2021-12-14T14:38:00.339668743Z", - "original": "2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 81.2.69.144, DstIP: 81.2.69.144, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", - "code": "430003", - "kind": "event", - "start": "2020-03-01T01:02:16.000Z", - "action": "connection-finished", - "end": "2020-03-01T01:02:36.000Z", - "category": [ - "network" - ], - "type": [ - "connection", - "end", - "allowed" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": [ + "bad-malwaresite-grr.info", + "eyedropper-color-pick.info" ], - "outcome": "success" + "extension": "ico", + "original": "http://bad-malwaresite-grr.info/favicon.ico", + "path": "/favicon.ico", + "scheme": "http" }, "user": { - "name": "No Authentication Required", - "id": "No Authentication Required" - }, - "cisco": { - "ftd": { - "destination_interface": "s1p2", - "security": { - "access_control_rule_reason": "IP Monitor", - "egress_zone": "Inside-DMZ-Interface-Inline", - "responder_packets": "4", - "access_control_rule_action": "Allow", - "nap_policy": "State-Backbone", - "dst_ip": "81.2.69.144", - "ac_policy": "COOL-POLICY-3D", - "src_ip": "81.2.69.144", - "protocol": "tcp", - "application_protocol": "HTTP", - "initiator_bytes": "729", - "sec_int_matching_ip": "Destination", - "initiator_packets": "4", - "connection_duration": "20", - "client": "Chrome", - "client_version": "80.0.3987.87", - "referenced_host": "eyedropper-color-pick.info", - "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36", - "access_control_rule_name": "Inside DMZ-Rule-Inline", - "egress_interface": "s1p2", - "prefilter_policy": "Unknown", - "ingress_zone": "Inside-DMZ-Interface-Inline", - "url": "http://bad-malwaresite-grr.info/favicon.ico", - "src_port": "65090", - "http_referer": "http://eyedropper-color-pick.info/mk?c=1581483445764", - "ip_reputation_si_category": "Malware", - "dst_port": "80", - "ingress_interface": "s1p1", - "responder_bytes": "246", - "user": "No Authentication Required" - }, - "rule_name": [ - "COOL-POLICY-3D", - "Inside DMZ-Rule-Inline" - ], - "source_interface": "s1p1" - } + "id": "No Authentication Required", + "name": "No Authentication Required" }, "user_agent": { "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36" diff --git a/packages/cisco/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml index c129aeb7555..6e0f692cb5a 100644 --- a/packages/cisco/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml @@ -1,9 +1,6 @@ --- description: "Pipeline for Cisco ASA logs" processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - rename: field: message target_field: event.original @@ -1819,7 +1816,7 @@ processors: ctx.event.type.add('denied'); } if (ctx.event.outcome == 'block') { - ctx.event.type.add('failure'); + ctx.event.type.add('denied'); } } diff --git a/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json b/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json index 9ca1a278169..a3ea2a09b8f 100644 --- a/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json +++ b/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json @@ -1,89 +1,96 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.197", - "224.0.0.22" - ] - }, - "log": { - "level": "informational", - "source": { - "address": "192.168.100.2" + "cisco": { + "ios": { + "access_list": "177", + "facility": "SEC" } }, "destination": { "address": "224.0.0.22", "ip": "224.0.0.22" }, - "source": { - "packets": 1, - "address": "192.168.100.197", - "ip": "192.168.100.197" + "ecs": { + "version": "1.12.0" }, - "message": "list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet", "event": { - "severity": 6, - "sequence": 585917, - "ingested": "2021-12-14T14:38:00.838124062Z", - "original": "Feb 8 04:00:48 192.168.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet", - "code": "IPACCESSLOGRP", - "provider": "firewall", "action": "deny", "category": "network", + "code": "IPACCESSLOGRP", + "original": "Feb 8 04:00:48 192.168.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet", + "provider": "firewall", + "sequence": 585917, + "severity": 6, "type": "denied" }, - "cisco": { - "ios": { - "facility": "SEC", - "access_list": "177" + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" } }, - "tags": [ - "preserve_original_event" - ], + "message": "list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet", "network": { "community_id": "1:NCx7UOZoQUvxIB+uzqMmGnZTSzI=", + "packets": 1, "transport": "igmp", - "type": "ipv4", + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.100.197", + "224.0.0.22" + ] + }, + "source": { + "address": "192.168.100.197", + "ip": "192.168.100.197", "packets": 1 - } + }, + "tags": [ + "preserve_original_event" + ] }, { - "log": { - "level": "informational", - "source": { - "address": "192.168.100.2" + "cisco": { + "ios": { + "access_list": "INBOUND-ON-F11", + "facility": "SEC" } }, "destination": { "address": "224.0.0.2", "ip": "224.0.0.2" }, - "source": { - "packets": 1, - "address": "192.168.100.2", - "ip": "192.168.100.2" + "ecs": { + "version": "1.12.0" }, - "message": "list INBOUND-ON-F11 denied igmp 192.168.100.2 -\u003e 224.0.0.2 (20), 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:eM790E01lXKYULfDPBPP0umazRw=", - "transport": "igmp", - "type": "ipv4", - "packets": 1 + "event": { + "action": "deny", + "category": "network", + "code": "IPACCESSLOGSP", + "original": "Feb 9 04:00:48 192.168.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 192.168.100.2 -\u003e 224.0.0.2 (20), 1 packet", + "provider": "firewall", + "sequence": 585918, + "severity": 6, + "type": "denied" }, "igmp": { "type": "20" }, - "ecs": { - "version": "1.12.0" + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" + } + }, + "message": "list INBOUND-ON-F11 denied igmp 192.168.100.2 -\u003e 224.0.0.2 (20), 1 packet", + "network": { + "community_id": "1:eM790E01lXKYULfDPBPP0umazRw=", + "packets": 1, + "transport": "igmp", + "type": "ipv4" }, "related": { "ip": [ @@ -91,235 +98,231 @@ "224.0.0.2" ] }, - "event": { - "severity": 6, - "sequence": 585918, - "ingested": "2021-12-14T14:38:00.838127289Z", - "original": "Feb 9 04:00:48 192.168.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 192.168.100.2 -\u003e 224.0.0.2 (20), 1 packet", - "code": "IPACCESSLOGSP", - "provider": "firewall", - "action": "deny", - "category": "network", - "type": "denied" + "source": { + "address": "192.168.100.2", + "ip": "192.168.100.2", + "packets": 1 }, - "cisco": { - "ios": { - "facility": "SEC", - "access_list": "INBOUND-ON-F11" - } - } + "tags": [ + "preserve_original_event" + ] }, { - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.1", - "255.255.255.255" - ] - }, - "log": { - "level": "informational", - "source": { - "address": "192.168.100.2" + "cisco": { + "ios": { + "access_list": "171", + "facility": "SEC" } }, "destination": { "address": "255.255.255.255", "ip": "255.255.255.255" }, - "source": { - "packets": 1, - "address": "192.168.100.1", - "ip": "192.168.100.1" + "ecs": { + "version": "1.12.0" }, - "message": "list 171 denied 0 192.168.100.1 -\u003e 255.255.255.255, 1 packet", "event": { - "severity": 6, - "sequence": 585919, - "ingested": "2021-12-14T14:38:00.838127895Z", - "original": "Feb 10 04:00:48 192.168.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 192.168.100.1 -\u003e 255.255.255.255, 1 packet", - "code": "IPACCESSLOGNP", - "provider": "firewall", "action": "deny", "category": "network", + "code": "IPACCESSLOGNP", + "original": "Feb 10 04:00:48 192.168.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 192.168.100.1 -\u003e 255.255.255.255, 1 packet", + "provider": "firewall", + "sequence": 585919, + "severity": 6, "type": "denied" }, - "cisco": { - "ios": { - "facility": "SEC", - "access_list": "171" + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" } }, - "tags": [ - "preserve_original_event" - ], + "message": "list 171 denied 0 192.168.100.1 -\u003e 255.255.255.255, 1 packet", "network": { - "type": "ipv4", "iana_number": "0", - "packets": 1 - } - }, - { - "ecs": { - "version": "1.12.0" + "packets": 1, + "type": "ipv4" }, "related": { "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "192.168.100.1", + "255.255.255.255" ] }, - "log": { - "level": "informational", - "source": { - "address": "192.168.100.2" + "source": { + "address": "192.168.100.1", + "ip": "192.168.100.1", + "packets": 1 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cisco": { + "ios": { + "access_list": "ACL-IPv6-E0/0-IN/10", + "facility": "IPV6" } }, "destination": { - "geo": { - "continent_name": "Europe", - "country_name": "Norway", - "location": { - "lon": 10.0, - "lat": 62.0 - }, - "country_iso_code": "NO" - }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "port": 22, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, - "source": { "geo": { "continent_name": "Europe", + "country_iso_code": "NO", "country_name": "Norway", "location": { - "lon": 10.0, - "lat": 62.0 - }, - "country_iso_code": "NO" + "lat": 62.0, + "lon": 10.0 + } }, - "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "port": 1027, - "packets": 9, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 22 + }, + "ecs": { + "version": "1.12.0" }, - "message": "list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -\u003e 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets", "event": { - "severity": 6, - "sequence": 585920, - "ingested": "2021-12-14T14:38:00.838128418Z", - "original": "May 3 19:11:33 192.168.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -\u003e 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets", - "code": "ACCESSLOGP", - "provider": "firewall", "action": "allow", "category": "network", + "code": "ACCESSLOGP", + "original": "May 3 19:11:33 192.168.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -\u003e 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets", + "provider": "firewall", + "sequence": 585920, + "severity": 6, "type": "allowed" }, - "cisco": { - "ios": { - "facility": "IPV6", - "access_list": "ACL-IPv6-E0/0-IN/10" + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" } }, - "tags": [ - "preserve_original_event" - ], + "message": "list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -\u003e 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets", "network": { "community_id": "1:BI3p2ifMfqVkYuAqbGRcjozcbnA=", + "packets": 9, "transport": "tcp", - "type": "ipv6", - "packets": 9 - } - }, - { - "ecs": { - "version": "1.12.0" + "type": "ipv6" }, "related": { "ip": [ - "192.168.100.195", - "192.168.100.255" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, - "log": { - "level": "informational", - "source": { - "address": "192.168.100.2" + "source": { + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "packets": 9, + "port": 1027 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cisco": { + "ios": { + "access_list": "177", + "facility": "SEC" } }, "destination": { - "port": 15600, "address": "192.168.100.255", - "ip": "192.168.100.255" + "ip": "192.168.100.255", + "port": 15600 }, - "source": { - "address": "192.168.100.195", - "port": 55250, - "packets": 1, - "ip": "192.168.100.195" + "ecs": { + "version": "1.12.0" }, - "message": "list 177 denied udp 192.168.100.195(55250) -\u003e 192.168.100.255(15600), 1 packet", "event": { - "severity": 6, - "sequence": 1663303, - "ingested": "2021-12-14T14:38:00.838128898Z", - "original": "Jun 20 02:41:40 192.168.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(55250) -\u003e 192.168.100.255(15600), 1 packet", - "code": "IPACCESSLOGP", - "provider": "firewall", "action": "deny", "category": "network", + "code": "IPACCESSLOGP", + "original": "Jun 20 02:41:40 192.168.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(55250) -\u003e 192.168.100.255(15600), 1 packet", + "provider": "firewall", + "sequence": 1663303, + "severity": 6, "type": "denied" }, - "cisco": { - "ios": { - "facility": "SEC", - "access_list": "177" + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" } }, - "tags": [ - "preserve_original_event" - ], + "message": "list 177 denied udp 192.168.100.195(55250) -\u003e 192.168.100.255(15600), 1 packet", "network": { "community_id": "1:StJhZzrkK7s6tPeVb3BmxbE0NZ0=", + "packets": 1, "transport": "udp", - "type": "ipv4", - "packets": 1 - } + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.100.195", + "192.168.100.255" + ] + }, + "source": { + "address": "192.168.100.195", + "ip": "192.168.100.195", + "packets": 1, + "port": 55250 + }, + "tags": [ + "preserve_original_event" + ] }, { - "log": { - "level": "informational", - "source": { - "address": "192.168.100.2" + "cisco": { + "ios": { + "access_list": "151", + "facility": "SEC" } }, "destination": { "address": "192.168.100.2", "ip": "192.168.100.2" }, - "source": { - "packets": 1, - "address": "192.168.100.1", - "ip": "192.168.100.1" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "deny", + "category": "network", + "code": "IPACCESSLOGDP", + "original": "Jun 20 02:41:45 192.168.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 192.168.100.1 -\u003e 192.168.100.2 (3/4), 1 packet", + "provider": "firewall", + "sequence": 1663304, + "severity": 6, + "type": "denied" }, - "message": "list 151 denied icmp 192.168.100.1 -\u003e 192.168.100.2 (3/4), 1 packet", "icmp": { - "type": "3", - "code": "4" + "code": "4", + "type": "3" }, - "tags": [ - "preserve_original_event" - ], + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" + } + }, + "message": "list 151 denied icmp 192.168.100.1 -\u003e 192.168.100.2 (3/4), 1 packet", "network": { "community_id": "1:qFmXhpjtK+/aneNSpMgRiI7dwi4=", + "packets": 1, "transport": "icmp", - "type": "ipv4", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" + "type": "ipv4" }, "related": { "ip": [ @@ -327,33 +330,39 @@ "192.168.100.2" ] }, - "event": { - "severity": 6, - "sequence": 1663304, - "ingested": "2021-12-14T14:38:00.838129384Z", - "original": "Jun 20 02:41:45 192.168.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 192.168.100.1 -\u003e 192.168.100.2 (3/4), 1 packet", - "code": "IPACCESSLOGDP", - "provider": "firewall", - "action": "deny", - "category": "network", - "type": "denied" + "source": { + "address": "192.168.100.1", + "ip": "192.168.100.1", + "packets": 1 }, + "tags": [ + "preserve_original_event" + ] + }, + { "cisco": { "ios": { - "facility": "SEC", - "access_list": "151" + "access_list": "177", + "facility": "SEC" } - } - }, - { + }, + "destination": { + "address": "192.168.100.255", + "ip": "192.168.100.255", + "port": 15600 + }, "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "192.168.100.195", - "192.168.100.255" - ] + "event": { + "action": "deny", + "category": "network", + "code": "IPACCESSLOGP", + "original": "Jun 20 02:42:28 192.168.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(54309) -\u003e 192.168.100.255(15600), 1 packet", + "provider": "firewall", + "sequence": 1663312, + "severity": 6, + "type": "denied" }, "log": { "level": "informational", @@ -361,259 +370,247 @@ "address": "192.168.100.2" } }, - "destination": { - "port": 15600, - "address": "192.168.100.255", - "ip": "192.168.100.255" + "message": "list 177 denied udp 192.168.100.195(54309) -\u003e 192.168.100.255(15600), 1 packet", + "network": { + "community_id": "1:l5C5fxVKRjXx6kz2MZOPm+0MjuU=", + "packets": 1, + "transport": "udp", + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.100.195", + "192.168.100.255" + ] }, "source": { "address": "192.168.100.195", - "port": 54309, + "ip": "192.168.100.195", "packets": 1, - "ip": "192.168.100.195" - }, - "message": "list 177 denied udp 192.168.100.195(54309) -\u003e 192.168.100.255(15600), 1 packet", - "event": { - "severity": 6, - "sequence": 1663312, - "ingested": "2021-12-14T14:38:00.838129867Z", - "original": "Jun 20 02:42:28 192.168.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(54309) -\u003e 192.168.100.255(15600), 1 packet", - "code": "IPACCESSLOGP", - "provider": "firewall", - "action": "deny", - "category": "network", - "type": "denied" - }, - "cisco": { - "ios": { - "facility": "SEC", - "access_list": "177" - } + "port": 54309 }, "tags": [ "preserve_original_event" - ], - "network": { - "community_id": "1:l5C5fxVKRjXx6kz2MZOPm+0MjuU=", - "transport": "udp", - "type": "ipv4", - "packets": 1 - } + ] }, { + "cisco": { + "ios": { + "facility": "SEC" + } + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "informational", - "source": { - "address": "192.168.100.2" - } - }, "event": { - "severity": 6, - "sequence": 1663313, - "ingested": "2021-12-14T14:38:00.838130372Z", - "original": "Jun 20 02:42:28 192.168.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets", + "category": "network", "code": "IPACCESSLOGRL", + "original": "Jun 20 02:42:28 192.168.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets", "provider": "firewall", - "category": "network", + "sequence": 1663313, + "severity": 6, "type": "info" }, - "message": "access-list logging rate-limited or missed 18 packets", - "cisco": { - "ios": { - "facility": "SEC" + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" } }, + "message": "access-list logging rate-limited or missed 18 packets", "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.195", - "192.168.100.255" - ] - }, - "log": { - "level": "informational", - "source": { - "address": "192.168.100.2" + "cisco": { + "ios": { + "access_list": "177", + "facility": "SEC" } }, "destination": { - "port": 15600, "address": "192.168.100.255", - "ip": "192.168.100.255" + "ip": "192.168.100.255", + "port": 15600 }, - "source": { - "address": "192.168.100.195", - "port": 43989, - "packets": 1, - "ip": "192.168.100.195" + "ecs": { + "version": "1.12.0" }, - "message": "list 177 denied udp 192.168.100.195(43989) -\u003e 192.168.100.255(15600), 1 packet", "event": { - "severity": 6, - "sequence": 1663314, - "ingested": "2021-12-14T14:38:00.838130841Z", - "original": "Jun 20 02:42:34 192.168.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(43989) -\u003e 192.168.100.255(15600), 1 packet", - "code": "IPACCESSLOGP", - "provider": "firewall", "action": "deny", "category": "network", + "code": "IPACCESSLOGP", + "original": "Jun 20 02:42:34 192.168.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(43989) -\u003e 192.168.100.255(15600), 1 packet", + "provider": "firewall", + "sequence": 1663314, + "severity": 6, "type": "denied" }, - "cisco": { - "ios": { - "facility": "SEC", - "access_list": "177" + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" } }, - "tags": [ - "preserve_original_event" - ], + "message": "list 177 denied udp 192.168.100.195(43989) -\u003e 192.168.100.255(15600), 1 packet", "network": { "community_id": "1:qEu4RGH+VDqSvCYBmcpiipbHIFc=", + "packets": 1, "transport": "udp", - "type": "ipv4", - "packets": 1 - } - }, - { - "ecs": { - "version": "1.12.0" + "type": "ipv4" }, "related": { "ip": [ - "192.168.100.12", - "81.2.69.144" + "192.168.100.195", + "192.168.100.255" ] }, - "log": { - "level": "informational", - "source": { - "address": "192.168.100.2" + "source": { + "address": "192.168.100.195", + "ip": "192.168.100.195", + "packets": 1, + "port": 43989 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cisco": { + "ios": { + "access_list": "150", + "facility": "SEC" } }, "destination": { + "address": "81.2.69.144", "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 80, - "ip": "81.2.69.144" + "ip": "81.2.69.144", + "port": 80 }, - "source": { - "address": "192.168.100.12", - "port": 59832, - "packets": 1, - "ip": "192.168.100.12" + "ecs": { + "version": "1.12.0" }, - "message": "list 150 denied tcp 192.168.100.12(59832) -\u003e 81.2.69.144(80), 1 packet", "event": { - "severity": 6, - "sequence": 1663321, - "ingested": "2021-12-14T14:38:00.838131313Z", - "original": "Jun 20 02:43:09 192.168.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59832) -\u003e 81.2.69.144(80), 1 packet", - "code": "IPACCESSLOGP", - "provider": "firewall", "action": "deny", "category": "network", + "code": "IPACCESSLOGP", + "original": "Jun 20 02:43:09 192.168.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59832) -\u003e 81.2.69.144(80), 1 packet", + "provider": "firewall", + "sequence": 1663321, + "severity": 6, "type": "denied" }, - "cisco": { - "ios": { - "facility": "SEC", - "access_list": "150" + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" } }, - "tags": [ - "preserve_original_event" - ], + "message": "list 150 denied tcp 192.168.100.12(59832) -\u003e 81.2.69.144(80), 1 packet", "network": { "community_id": "1:KHXR26FFI5fAjbqPIM0o9njIDr0=", + "packets": 1, "transport": "tcp", - "type": "ipv4", - "packets": 1 - } + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.100.12", + "81.2.69.144" + ] + }, + "source": { + "address": "192.168.100.12", + "ip": "192.168.100.12", + "packets": 1, + "port": 59832 + }, + "tags": [ + "preserve_original_event" + ] }, { + "cisco": { + "ios": { + "facility": "SEC" + } + }, "ecs": { "version": "1.12.0" }, - "log": { - "level": "informational", - "source": { - "address": "192.168.100.2" - } - }, "event": { - "severity": 6, - "sequence": 1663325, - "ingested": "2021-12-14T14:38:00.838131789Z", - "original": "Jun 20 02:43:29 192.168.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets", + "category": "network", "code": "IPACCESSLOGRL", + "original": "Jun 20 02:43:29 192.168.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets", "provider": "firewall", - "category": "network", + "sequence": 1663325, + "severity": 6, "type": "info" }, - "message": "access-list logging rate-limited or missed 23 packets", - "cisco": { - "ios": { - "facility": "SEC" + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" } }, + "message": "access-list logging rate-limited or missed 23 packets", "tags": [ "preserve_original_event" ] }, { - "log": { - "level": "informational", - "source": { - "address": "192.168.100.2" + "cisco": { + "ios": { + "access_list": "150", + "facility": "SEC" } }, "destination": { "address": "192.168.100.1", "ip": "192.168.100.1" }, - "source": { - "packets": 32, - "address": "192.168.100.12", - "ip": "192.168.100.12" + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "deny", + "category": "network", + "code": "IPACCESSLOGDP", + "original": "Jun 20 02:43:29 192.168.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 192.168.100.12 -\u003e 192.168.100.1 (3/3), 32 packets", + "provider": "firewall", + "sequence": 1663326, + "severity": 6, + "type": "denied" }, - "message": "list 150 denied icmp 192.168.100.12 -\u003e 192.168.100.1 (3/3), 32 packets", "icmp": { - "type": "3", - "code": "3" + "code": "3", + "type": "3" }, - "tags": [ - "preserve_original_event" - ], + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" + } + }, + "message": "list 150 denied icmp 192.168.100.12 -\u003e 192.168.100.1 (3/3), 32 packets", "network": { "community_id": "1:iJX04o1L7tLCbqhG80H5P/Nx4FY=", + "packets": 32, "transport": "icmp", - "type": "ipv4", - "packets": 32 - }, - "ecs": { - "version": "1.12.0" + "type": "ipv4" }, "related": { "ip": [ @@ -621,205 +618,154 @@ "192.168.100.1" ] }, - "event": { - "severity": 6, - "sequence": 1663326, - "ingested": "2021-12-14T14:38:00.838132488Z", - "original": "Jun 20 02:43:29 192.168.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 192.168.100.12 -\u003e 192.168.100.1 (3/3), 32 packets", - "code": "IPACCESSLOGDP", - "provider": "firewall", - "action": "deny", - "category": "network", - "type": "denied" + "source": { + "address": "192.168.100.12", + "ip": "192.168.100.12", + "packets": 32 }, - "cisco": { - "ios": { - "facility": "SEC", - "access_list": "150" - } - } + "tags": [ + "preserve_original_event" + ] }, { - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.12", - "81.2.69.144" - ] - }, - "log": { - "level": "informational", - "source": { - "address": "192.168.100.2" + "cisco": { + "ios": { + "access_list": "150", + "facility": "SEC" } }, "destination": { + "address": "81.2.69.144", "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", "city_name": "London", + "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" }, - "address": "81.2.69.144", - "port": 80, - "ip": "81.2.69.144" + "ip": "81.2.69.144", + "port": 80 }, - "source": { - "address": "192.168.100.12", - "port": 59834, - "packets": 1, - "ip": "192.168.100.12" + "ecs": { + "version": "1.12.0" }, - "message": "list 150 denied tcp 192.168.100.12(59834) -\u003e 81.2.69.144(80), 1 packet", "event": { - "severity": 6, - "sequence": 1663327, - "ingested": "2021-12-14T14:38:00.838132987Z", - "original": "Jun 20 02:43:30 192.168.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59834) -\u003e 81.2.69.144(80), 1 packet", - "code": "IPACCESSLOGP", - "provider": "firewall", "action": "deny", "category": "network", + "code": "IPACCESSLOGP", + "original": "Jun 20 02:43:30 192.168.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59834) -\u003e 81.2.69.144(80), 1 packet", + "provider": "firewall", + "sequence": 1663327, + "severity": 6, "type": "denied" }, - "cisco": { - "ios": { - "facility": "SEC", - "access_list": "150" + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" } }, - "tags": [ - "preserve_original_event" - ], + "message": "list 150 denied tcp 192.168.100.12(59834) -\u003e 81.2.69.144(80), 1 packet", "network": { "community_id": "1:Nww0Z+gJpZXiHgUEpOLnoLROtqw=", + "packets": 1, "transport": "tcp", - "type": "ipv4", - "packets": 1 - } - }, - { - "ecs": { - "version": "1.12.0" + "type": "ipv4" }, "related": { - "user": [ - "john.smith" - ], "ip": [ - "10.2.55.3" + "192.168.100.12", + "81.2.69.144" ] }, - "log": { - "level": "notification", - "source": { - "address": "192.168.100.2" + "source": { + "address": "192.168.100.12", + "ip": "192.168.100.12", + "packets": 1, + "port": 59834 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cisco": { + "ios": { + "action": "Login", + "facility": "SEC_LOGIN" } }, "destination": { "port": 22 }, - "source": { - "user": { - "name": "john.smith" - }, - "address": "10.2.55.3", - "ip": "10.2.55.3" + "ecs": { + "version": "1.12.0" }, - "message": "Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021", "event": { - "severity": 5, - "sequence": 1991219, - "ingested": "2021-12-14T14:38:00.838133469Z", - "original": "Mar 24 18:06:03 192.168.100.2 1991219: Mar 24 18:06:03.424 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021", + "category": "network", "code": "LOGIN_SUCCESS", + "original": "Mar 24 18:06:03 192.168.100.2 1991219: Mar 24 18:06:03.424 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021", "provider": "firewall", - "category": "network", + "sequence": 1991219, + "severity": 5, "type": "info" }, - "cisco": { - "ios": { - "action": "Login", - "facility": "SEC_LOGIN" + "log": { + "level": "notification", + "source": { + "address": "192.168.100.2" } }, - "tags": [ - "preserve_original_event" - ], + "message": "Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021", "network": { "type": "ipv4" - } - }, - { - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "10.2.55.3" + ], "user": [ "john.smith" - ], - "ip": [ - "10.5.36.9" ] }, - "log": { - "level": "informational", - "source": { - "address": "192.168.100.2" - } - }, "source": { + "address": "10.2.55.3", + "ip": "10.2.55.3", "user": { "name": "john.smith" - }, - "address": "10.5.36.9", - "ip": "10.5.36.9" - }, - "event": { - "severity": 6, - "sequence": 1991220, - "ingested": "2021-12-14T14:38:00.838133950Z", - "original": "Mar 24 18:06:00 192.168.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: User john.smith has exited tty session 5(10.5.36.9)", - "code": "LOGOUT", - "provider": "firewall", - "category": "network", - "type": "info" + } }, - "message": "User john.smith has exited tty session 5(10.5.36.9)", + "tags": [ + "preserve_original_event" + ] + }, + { "cisco": { "ios": { "action": "exited", "facility": "SYS", "session": { - "type": "tty", - "number": "5" + "number": "5", + "type": "tty" } } }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" - } - }, - { "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "10.4.5.66", - "10.3.66.3" - ] + "event": { + "category": "network", + "code": "LOGOUT", + "original": "Mar 24 18:06:00 192.168.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: User john.smith has exited tty session 5(10.5.36.9)", + "provider": "firewall", + "sequence": 1991220, + "severity": 6, + "type": "info" }, "log": { "level": "informational", @@ -827,56 +773,60 @@ "address": "192.168.100.2" } }, - "destination": { - "address": "10.3.66.3", - "ip": "10.3.66.3" + "message": "User john.smith has exited tty session 5(10.5.36.9)", + "network": { + "type": "ipv4" }, - "source": { - "address": "10.4.5.66", - "ip": "10.4.5.66" + "related": { + "ip": [ + "10.5.36.9" + ], + "user": [ + "john.smith" + ] }, - "message": "Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", - "event": { - "severity": 6, - "sequence": 1991221, - "reason": "Invalid RP", - "ingested": "2021-12-14T14:38:00.838134440Z", - "original": "Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", - "code": "INVALID_RP_JOIN", - "provider": "firewall", - "action": "multicast-join", - "category": "network", - "type": "info", - "outcome": "failure" + "source": { + "address": "10.5.36.9", + "ip": "10.5.36.9", + "user": { + "name": "john.smith" + } }, + "tags": [ + "preserve_original_event" + ] + }, + { "cisco": { "ios": { "action": "Join", + "facility": "PIM-SW1", + "outcome": "invalid RP", "pim": { "group": { "ip": "10.36.2.78" } - }, - "facility": "PIM-SW1", - "outcome": "invalid RP" + } } }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" - } - }, - { + "destination": { + "address": "10.3.66.3", + "ip": "10.3.66.3" + }, "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "10.4.5.66", - "10.3.66.3" - ] + "event": { + "action": "multicast-join", + "category": "network", + "code": "INVALID_RP_JOIN", + "original": "Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", + "outcome": "failure", + "provider": "firewall", + "reason": "Invalid RP", + "sequence": 1991221, + "severity": 6, + "type": "info" }, "log": { "level": "informational", @@ -884,106 +834,137 @@ "address": "192.168.100.2" } }, - "destination": { - "address": "10.3.66.3", - "ip": "10.3.66.3" + "message": "Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", + "network": { + "type": "ipv4" + }, + "related": { + "ip": [ + "10.4.5.66", + "10.3.66.3" + ] }, "source": { "address": "10.4.5.66", "ip": "10.4.5.66" }, - "message": "Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", - "event": { - "severity": 6, - "sequence": 1991221, - "reason": "Invalid RP", - "ingested": "2021-12-14T14:38:00.838135074Z", - "original": "Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", - "code": "INVALID_RP_JOIN", - "provider": "firewall", - "action": "multicast-join", - "category": "network", - "type": "info", - "outcome": "failure" - }, + "tags": [ + "preserve_original_event" + ] + }, + { "cisco": { "ios": { "action": "Join", + "facility": "PIM-SW1", + "outcome": "invalid RP", "pim": { - "source": { - "ip": "10.50.22.5" - }, "group": { "ip": "10.36.2.78" + }, + "source": { + "ip": "10.50.22.5" } - }, - "facility": "PIM-SW1", - "outcome": "invalid RP" + } } }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" - } - }, - { + "destination": { + "address": "10.3.66.3", + "ip": "10.3.66.3" + }, "ecs": { "version": "1.12.0" }, + "event": { + "action": "multicast-join", + "category": "network", + "code": "INVALID_RP_JOIN", + "original": "Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", + "outcome": "failure", + "provider": "firewall", + "reason": "Invalid RP", + "sequence": 1991221, + "severity": 6, + "type": "info" + }, "log": { - "level": "warning", + "level": "informational", "source": { "address": "192.168.100.2" } }, - "event": { - "severity": 4, - "sequence": 1991217, - "ingested": "2021-12-14T14:38:00.838135554Z", - "original": "Mar 24 12:09:35 192.168.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0", - "code": "NOVALIDKEY", - "provider": "firewall", - "category": "network", - "type": "info" + "message": "Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", + "network": { + "type": "ipv4" }, - "message": "No valid authentication send key is available on interface eth0", - "cisco": { - "ios": { - "facility": "OSPF" - } + "related": { + "ip": [ + "10.4.5.66", + "10.3.66.3" + ] + }, + "source": { + "address": "10.4.5.66", + "ip": "10.4.5.66" }, "tags": [ "preserve_original_event" ] }, { + "cisco": { + "ios": { + "facility": "OSPF" + } + }, "ecs": { "version": "1.12.0" }, + "event": { + "category": "network", + "code": "NOVALIDKEY", + "original": "Mar 24 12:09:35 192.168.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0", + "provider": "firewall", + "sequence": 1991217, + "severity": 4, + "type": "info" + }, "log": { - "level": "informational", + "level": "warning", "source": { "address": "192.168.100.2" } }, + "message": "No valid authentication send key is available on interface eth0", + "tags": [ + "preserve_original_event" + ] + }, + { + "cisco": { + "ios": { + "facility": "CCH323" + } + }, + "ecs": { + "version": "1.12.0" + }, "event": { - "severity": 6, - "sequence": 1991218, - "ingested": "2021-12-14T14:38:00.838136033Z", - "original": "Mar 24 12:06:47 192.168.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19", + "category": "network", "code": "CALL_PRESERVED", + "original": "Mar 24 12:06:47 192.168.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19", "provider": "firewall", - "category": "network", + "sequence": 1991218, + "severity": 6, "type": "info" }, - "message": "cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19", - "cisco": { - "ios": { - "facility": "CCH323" + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" } }, + "message": "cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19", "tags": [ "preserve_original_event" ] diff --git a/packages/cisco/data_stream/ios/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/data_stream/ios/elasticsearch/ingest_pipeline/default.yml index decdc78a1c8..23b37b285a2 100644 --- a/packages/cisco/data_stream/ios/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco/data_stream/ios/elasticsearch/ingest_pipeline/default.yml @@ -2,9 +2,6 @@ description: Pipeline for Cisco IOS logs. processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: ecs.version value: '1.12.0' diff --git a/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json b/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json index 771cad5d353..8bddfdd2256 100644 --- a/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json @@ -4,9 +4,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694140861Z" - }, "message": "modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny", "tags": [ "preserve_original_event" @@ -16,9 +13,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694143803Z" - }, "message": "umdo 1455282753.itessequ vol_ events dhcp lease of ip 10.102.218.31 from server mac 01:00:5e:9c:c2:9c for client mac 01:00:5e:0f:87:e3 from router 10.15.16.212 on subnet ameaqu with dns aqu", "tags": [ "preserve_original_event" @@ -28,9 +22,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694144871Z" - }, "message": "uipexea 1456517708.tatio minim_ flows ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe", "tags": [ "preserve_original_event" @@ -40,9 +31,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694145780Z" - }, "message": "mipsu 1457752662.consec taliquip_ flows radip flows block src=10.155.236.240 dst=10.112.46.169 mac=01:00:5e:7a:74:89 protocol=ipv6 type=roidents ", "tags": [ "preserve_original_event" @@ -52,9 +40,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694146746Z" - }, "message": "obeataev 1458987616.lor uidexea_appliance events MAC 01:00:5e:e1:89:ac and MAC 01:00:5e:a3:d9:ac both claim IP: 10.14.107.140", "tags": [ "preserve_original_event" @@ -64,9 +49,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694147626Z" - }, "message": "iutal 1460222571.dexe urerep events content_filtering_block url='https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu' category0='ari' server='10.108.180.105:5098' client_mac='01:00:5e:40:9b:83'", "tags": [ "preserve_original_event" @@ -76,9 +58,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694148527Z" - }, "message": "ipit 1461457525.idexea riat_appliance events MAC 01:00:5e:25:4f:e4 and MAC 01:00:5e:3f:49:e4 both claim IP: 10.149.88.198", "tags": [ "preserve_original_event" @@ -88,9 +67,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694149398Z" - }, "message": "ntsuntin 1462692479.aecatcup animi events dhcp release for mac 01:00:5e:e3:10:34", "tags": [ "preserve_original_event" @@ -100,9 +76,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694150265Z" - }, "message": "orsitame 1463927433.quiratio ite events MAC 01:00:5e:48:62:22 and MAC 01:00:5e:9f:b6:a6 both claim IP: 10.243.206.225", "tags": [ "preserve_original_event" @@ -112,9 +85,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694151123Z" - }, "message": "olupta turveli.toccae tatno_ ids-alerts taliqu ids-alerts signature=temUten priority=ccusan timestamp=1465162388.iqudirection=outbound protocol=icmp src=10.131.82.116:7307", "tags": [ "preserve_original_event" @@ -124,9 +94,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694151983Z" - }, "message": "uaera 1466397342.sitas ehenderi_ security_event atquovosecurity_event iumto url=https://www5.example.net/sun/essecill.html?saute=vel#quu src=10.210.213.18:7616 dst=10.134.0.141:2703 mac=01:00:5e:aa:42:fa name=idolores sha256=llumquid disposition=tation action=accept", "tags": [ "preserve_original_event" @@ -136,9 +103,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694153068Z" - }, "message": "omn ipsumq.atcu oremagna_ security_event remipsum security_event liq signature=ist priority=tnon timestamp=1467632296.ionul shost=01:00:5e:c8:9c:2f direction=outbound protocol=udp src=10.163.72.17 dst=10.74.237.180 message:nsequu", "tags": [ "preserve_original_event" @@ -148,9 +112,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694154004Z" - }, "message": "omm 1468867250.idestla Nemoeni_appliance events MAC 01:00:5e:c4:69:7f and MAC 01:00:5e:e2:67:d2 both claim IP: 10.72.31.26", "tags": [ "preserve_original_event" @@ -160,9 +121,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694154871Z" - }, "message": "agna tionemu.eomnisis mqui ids-alerts signature=civeli priority=errorsi timestamp=1470102205.desdirection=internal protocol=tcp src=10.70.95.74:4290", "tags": [ "preserve_original_event" @@ -172,9 +130,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694155726Z" - }, "message": "olupt 1471337159.dit sumquiad events MAC 01:00:5e:ea:e8:7a and MAC 01:00:5e:9c:d2:4a both claim IP: 10.17.21.125", "tags": [ "preserve_original_event" @@ -184,9 +139,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694156667Z" - }, "message": "amqu 1472572113.uines nsec events dhcp lease of ip 10.85.10.165 from server mac 01:00:5e:63:93:48 for client mac 01:00:5e:46:17:35 from router 10.53.150.119 on subnet uiineavo with dns tisetq", "tags": [ "preserve_original_event" @@ -196,9 +148,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694157685Z" - }, "message": "giatquov eritquii.dexeac iscinge ids-alerts signature=atvol priority=umiur timestamp=1473807067.imadprotocol=igmp src=10.88.231.224 dst=10.187.77.245message: iadese", "tags": [ "preserve_original_event" @@ -208,9 +157,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694158582Z" - }, "message": "agnaali 1475042022.gnam tat events content_filtering_block url='https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci' category0='aqu' server='10.186.58.115:7238' client_mac='01:00:5e:8f:16:6d'", "tags": [ "preserve_original_event" @@ -220,9 +166,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694159429Z" - }, "message": "apariat 1476276976.tlabore untmolli_ events dhcp lease of ip 10.219.84.37 from server mac 01:00:5e:e8:bf:69 for client mac 01:00:5e:87:e1:a0 from router 10.205.47.51 on subnet uovolup with dns samvolu", "tags": [ "preserve_original_event" @@ -232,9 +175,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694160282Z" - }, "message": "ento 1477511930.pic evita events MAC 01:00:5e:ce:61:db and MAC 01:00:5e:ec:f8:cc both claim IP: 10.3.134.237", "tags": [ "preserve_original_event" @@ -244,9 +184,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694161135Z" - }, "message": "tmo 1478746884.fficiade uscipit events aid=vitaedi arp_resp=fugitse arp_src=veniamq auth_neg_dur=one auth_neg_failed=etMalor channel=ipi dns_req_rtt=reseos dns_resp=pariatu dns_server=tin duration=48.123000 full_conn=oquisqu identity=sperna ip_resp=eabilloi ip_src=10.182.178.217 is_8021x=tlab is_wpa=volupt last_auth_ago=osqui radio=xerc reason=iutali rssi=fdeFi type=texp vap=tasuntex client_mac=01:00:5e:e3:b1:24 client_ip=10.194.114.58 instigator=ectio http_resp=dutper dhcp_lease_completed=lamcolab dhcp_ip=ati dhcp_server=tlabo dhcp_server_mac=uames dhcp_resp=iduntu url=https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate category0=ncidid server=10.63.194.87 vpn_type=quisno connectivity=sin", "tags": [ "preserve_original_event" @@ -256,9 +193,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694161988Z" - }, "message": "emvel 1479981839.tmollita fde events aid=nsecte arp_resp=inculpa arp_src=abo auth_neg_dur=veniamqu auth_neg_failed=nse channel=non dns_req_rtt=paquioff dns_resp=mquisnos dns_server=maven duration=71.798000 full_conn=atcu identity=labor ip_resp=didunt ip_src=10.153.0.77 is_8021x=udan is_wpa=orema last_auth_ago=invento radio=qua reason=aturQui rssi=utlabor type=rau vap=idex client_mac=01:00:5e:9e:7b:a4 client_ip=10.105.88.20 instigator=ecte http_resp=tinvolu dhcp_lease_completed=iurer dhcp_ip=iciadese dhcp_server=quidolor dhcp_server_mac=tessec dhcp_resp=olupta url=https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt category0=siste server=10.163.154.210 vpn_type=ept connectivity=iumtotam", "tags": [ "preserve_original_event" @@ -268,9 +202,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694162851Z" - }, "message": "ionevo 1481216793.ugiatnu ciati_appliance events MAC 01:00:5e:b8:7a:96 and MAC 01:00:5e:b9:6b:a8 both claim IP: 10.73.69.176", "tags": [ "preserve_original_event" @@ -280,9 +211,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694163856Z" - }, "message": "spi 1482451747.stquido ommodico_ flows ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp ", "tags": [ "preserve_original_event" @@ -292,9 +220,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694164723Z" - }, "message": "smo etcons.iusmodi uamest_ security_event uiac security_event epte signature=idolo priority=quinesc timestamp=1483686701.madmi shost=01:00:5e:1c:4c:64 direction=internal protocol=icmp src=10.31.77.157 dst=10.12.182.70 message:tev", "tags": [ "preserve_original_event" @@ -304,9 +229,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694165571Z" - }, "message": "nisiuta 1484921656.roid inibusB flows cancel", "tags": [ "preserve_original_event" @@ -316,9 +238,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694166423Z" - }, "message": "str 1486156610.idolore pid_ flows cteturad flows deny src=10.93.68.231 dst=10.135.217.12 mac=01:00:5e:4a:69:5b protocol=ipv6 type=archite ", "tags": [ "preserve_original_event" @@ -328,9 +247,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694167278Z" - }, "message": "amnih 1487391564.ium esciuntN_ events dhcp release for mac 01:00:5e:8b:99:98", "tags": [ "preserve_original_event" @@ -340,9 +256,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694168123Z" - }, "message": "isnost 1488626519.queips ncidi_ flows iscinge flows src=10.247.30.212 dst=10.66.89.5 mac=01:00:5e:7f:65:da protocol=igmp pattern: 1 borios", "tags": [ "preserve_original_event" @@ -352,9 +265,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694168973Z" - }, "message": "oin 1489861473.mvenia madminim events IDS: fugitsed", "tags": [ "preserve_original_event" @@ -364,9 +274,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694169845Z" - }, "message": "dmin fugi.quia iduntu security_event idestlab signature=rnatur priority=ofdeFin timestamp=1491096427.essequam dhost=01:00:5e:c1:53:b1 direction=inbound protocol=tcp src=10.221.102.245 dst=10.173.136.186 message:naal", "tags": [ "preserve_original_event" @@ -376,9 +283,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694170687Z" - }, "message": "umqu tinv.adipisc uscipitl_ ids-alerts ritatise ids-alerts signature=uamei priority=siut timestamp=1492331381.ciad dhost=01:00:5e:1f:c6:29 direction=external protocol=udp src=10.58.64.108 dst=10.54.37.86 message: entorev", "tags": [ "preserve_original_event" @@ -388,9 +292,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694171531Z" - }, "message": "velitess 1493566336.naali uunturm_ flows veli flows block src=10.147.76.202 dst=10.163.93.20 mac=01:00:5e:1d:85:ec protocol=ipv6 sport=1085 dport=3141 ", "tags": [ "preserve_original_event" @@ -400,9 +301,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694172384Z" - }, "message": "iumdol tpersp.stla uptatema_ security_event uradi security_event tot signature=llamco priority=nea timestamp=1494801290.psum dhost=01:00:5e:35:71:1e direction=internal protocol=icmp src=10.0.200.27:5905 dst=10.183.44.198:1702 message:asiarc", "tags": [ "preserve_original_event" @@ -412,9 +310,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694173389Z" - }, "message": "tiaec 1496036244.rumwrit icabo_ events dhcp lease of ip 10.148.124.84 from server mac 01:00:5e:0b:2c:22 for client mac 01:00:5e:06:12:98 from router 10.28.144.180 on subnet ritin with dns temporin", "tags": [ "preserve_original_event" @@ -424,9 +319,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694174259Z" - }, "message": "ica 1497271198.lillum remips_appliance events aid=uisaute arp_resp=imide arp_src=poriss auth_neg_dur=tvolup auth_neg_failed=itesseq channel=dictasun dns_req_rtt=veniamqu dns_resp=rum dns_server=quaea duration=165.611000 full_conn=mvel identity=nof ip_resp=usmodi ip_src=10.204.230.166 is_8021x=dat is_wpa=aincidu last_auth_ago=nimadmin radio=isiu reason=licabo rssi=enimadmi type=utaliqu vap=dic client_mac=01:00:5e:bb:60:a6 client_ip=10.62.71.118 instigator=ineavol http_resp=iosa dhcp_lease_completed=boNemoe dhcp_ip=onsequ dhcp_server=equinesc dhcp_server_mac=cab dhcp_resp=atisund url=https://example.net/ites/isetq.gif?nisiut=tur#avolupt category0=ariatur server=10.98.194.212 vpn_type=nimave connectivity=isciv", "tags": [ "preserve_original_event" @@ -436,9 +328,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694175121Z" - }, "message": "dipisci 1498506153.spernatu admi events content_filtering_block url='https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori' category0='borisnis' server='10.197.13.39:5912'", "tags": [ "preserve_original_event" @@ -448,9 +337,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694175983Z" - }, "message": "itsedd 1499741107.leumiur eratvol events dhcp release for mac 01:00:5e:fd:84:bb", "tags": [ "preserve_original_event" @@ -460,9 +346,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694176848Z" - }, "message": "leumiu tla.item nimid ids-alerts signature=dat priority=periam timestamp=1500976061.dquprotocol=icmp src=10.242.77.170 dst=10.150.245.88message: orisn", "tags": [ "preserve_original_event" @@ -472,9 +355,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694177712Z" - }, "message": "sitam rad.loi isc_ ids-alerts volupt ids-alerts signature=rem priority=idid timestamp=1502211015.tesse shost=01:00:5e:9d:eb:fb direction=external protocol=tcp src=10.247.139.239 dst=10.180.195.43 message: tenatuse", "tags": [ "preserve_original_event" @@ -484,9 +364,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694178573Z" - }, "message": "tore 1503445970.elits consequa events dhcp release for mac 01:00:5e:50:48:c4", "tags": [ "preserve_original_event" @@ -496,9 +373,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694179454Z" - }, "message": "undeom uamnihi.risnis uov_ ids-alerts isn ids-alerts signature=sBono priority=loremqu timestamp=1504680924.teturprotocol=rdp src=10.94.6.140 dst=10.147.15.213message: uptat", "tags": [ "preserve_original_event" @@ -508,9 +382,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694180298Z" - }, "message": "itasper 1505915878.uae mve_ flows obeata flows block src=10.230.6.127 dst=10.111.157.56 mac=01:00:5e:39:a7:fc protocol=icmp type=aliquamq ", "tags": [ "preserve_original_event" @@ -520,9 +391,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694181141Z" - }, "message": "archite 1507150832.remq veniamq events aid=occ arp_resp=oloreseo arp_src=iruredol auth_neg_dur=veniamqu auth_neg_failed=licaboN channel=atquo dns_req_rtt=cupi dns_resp=strude dns_server=eritin duration=85.513000 full_conn=litsedq identity=nderiti ip_resp=ntNe ip_src=10.179.40.170 is_8021x=olorema is_wpa=mollita last_auth_ago=tatem radio=iae reason=quido rssi=emip type=inBC vap=mol client_mac=01:00:5e:58:2d:1c client_ip=10.153.81.206 instigator=rsita http_resp=nsequun dhcp_lease_completed=eetd dhcp_ip=illu dhcp_server=iatqu dhcp_server_mac=lorsi dhcp_resp=repreh url=https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi category0=uamei server=10.193.219.34 vpn_type=onse connectivity=olorem", "tags": [ "preserve_original_event" @@ -532,9 +400,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694182020Z" - }, "message": "umwritte 1508385787.vol oremquel_appliance events MAC 01:00:5e:16:5e:b1 and MAC 01:00:5e:ee:e8:77 both claim IP: 10.255.199.16", "tags": [ "preserve_original_event" @@ -544,9 +409,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694182868Z" - }, "message": "unte 1509620741.uamnihil llam_appliance events MAC 01:00:5e:ee:1d:77 and MAC 01:00:5e:f1:21:bd both claim IP: 10.94.88.5", "tags": [ "preserve_original_event" @@ -556,9 +418,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694183732Z" - }, "message": "esci 1510855695.uov quaeab_ events IDS: moles", "tags": [ "preserve_original_event" @@ -568,9 +427,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694184592Z" - }, "message": "accusa 1512090649.natu liquid events IDS: enim", "tags": [ "preserve_original_event" @@ -580,9 +436,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694185442Z" - }, "message": "dquiaco nibus.vitaed ser security_event etconsec signature=elillum priority=upt timestamp=1513325604.rnat dhost=01:00:5e:01:60:e0 direction=internal protocol=ipv6 src=10.90.99.245 dst=10.124.63.4 message:pta", "tags": [ "preserve_original_event" @@ -592,9 +445,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694186287Z" - }, "message": "tetura 1514560558.imadmini moe_appliance events content_filtering_block url='https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori' category0='laudan' server='10.249.7.146:2010'", "tags": [ "preserve_original_event" @@ -604,9 +454,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694187266Z" - }, "message": "lapar 1515795512.ritati edquia_appliance events IDS: itesse", "tags": [ "preserve_original_event" @@ -616,9 +463,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694188127Z" - }, "message": "amvolu mip.tion tobeatae_ security_event Utenima security_event iqua signature=luptat priority=deriti timestamp=1517030466.sintocc dhost=01:00:5e:c9:b7:22 direction=inbound protocol=icmp src=10.196.96.162 dst=10.81.234.34 message:equuntur", "tags": [ "preserve_original_event" @@ -628,9 +472,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694189005Z" - }, "message": "uide 1518265421.scivel henderi_appliance events IDS: iusmodt", "tags": [ "preserve_original_event" @@ -640,9 +481,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694189861Z" - }, "message": "tiumd 1519500375.ntmoll mexer events dhcp lease of ip 10.40.101.224 from server mac 01:00:5e:0a:df:72 for client mac 01:00:5e:7c:01:ab with hostname remips188.api.invalid from router 10.78.199.43 on subnet ehender with dns ilmole", "tags": [ "preserve_original_event" @@ -652,9 +490,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694190703Z" - }, "message": "runtmo 1520735329.ore isund_appliance events MAC 01:00:5e:17:87:3e and MAC 01:00:5e:5f:c1:3e both claim IP: 10.244.29.119", "tags": [ "preserve_original_event" @@ -664,9 +499,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694191627Z" - }, "message": "tutlabor 1521970284.reseosq gna_ flows pteurs flows deny src=10.83.131.245 dst=10.39.172.93 mac=01:00:5e:c4:12:c7 protocol=udp type=uido ", "tags": [ "preserve_original_event" @@ -676,9 +508,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694192466Z" - }, "message": "osquira 1523205238.umd sciveli_ events dhcp lease of ip 10.86.188.179 from server mac 01:00:5e:48:4b:78 for client mac 01:00:5e:7e:cd:15 from router 10.201.168.116 on subnet umiure with dns laborum", "tags": [ "preserve_original_event" @@ -688,9 +517,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694193314Z" - }, "message": "umdolors 1524440192.lumdo acom_ security_event umexercisecurity_event duntut url=https://mail.example.com/prehend/eufug.htm?eufug=est#civelits src=10.148.211.222:2053 dst=10.122.204.151:3903 mac=01:00:5e:c3:a0:dc name=ine sha256=urerepre disposition=asnulap action=deny", "tags": [ "preserve_original_event" @@ -700,9 +526,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694194328Z" - }, "message": "atnul 1525675146.umfugi stquidol_ flows luptatem flows accept", "tags": [ "preserve_original_event" @@ -712,9 +535,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694195391Z" - }, "message": "essequam ueporro.aliqu upt ids-alerts signature=orum priority=Bonoru timestamp=1526910101.madminimprotocol=ipv6-icmp src=10.97.46.16 dst=10.120.4.9message: teni", "tags": [ "preserve_original_event" @@ -724,9 +544,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694196244Z" - }, "message": "lorsitam tanimid.onpr litseddo_ ids-alerts oremqu ids-alerts signature=idex priority=radip timestamp=1528145055.uptaprotocol=ipv6-icmp src=10.171.206.139 dst=10.165.173.162message: lestia", "tags": [ "preserve_original_event" @@ -736,9 +553,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694197106Z" - }, "message": "inibusB 1529380009.nostrud cteturad events dhcp lease of ip 10.150.163.151 from server mac 01:00:5e:72:b7:79 for client mac 01:00:5e:f2:d3:12 with hostname uames4985.mail.localdomain from router 10.144.57.239 on subnet oinBCSed with dns orem", "tags": [ "preserve_original_event" @@ -748,9 +562,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694197960Z" - }, "message": "eritq rehen.ipsamvol elillum_ ids-alerts tco ids-alerts signature=tvol priority=oluptate timestamp=1530614963.lit shost=01:00:5e:ac:6d:d3 direction=unknown protocol=igmp src=10.52.202.158 dst=10.54.44.231 message: Ute", "tags": [ "preserve_original_event" @@ -760,9 +571,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694198809Z" - }, "message": "runtm 1531849918.eturadip olorsi_ events MAC 01:00:5e:67:1d:0f and MAC 01:00:5e:f0:a9:cd both claim IP: 10.101.183.86", "tags": [ "preserve_original_event" @@ -772,9 +580,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694199671Z" - }, "message": "inesciu 1533084872.quid atcupid_ flows orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi", "tags": [ "preserve_original_event" @@ -784,9 +589,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694200549Z" - }, "message": "lamco 1534319826.cit siar events MAC 01:00:5e:80:cd:ca and MAC 01:00:5e:45:aa:51 both claim IP: 10.83.130.95", "tags": [ "preserve_original_event" @@ -796,9 +598,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694201418Z" - }, "message": "hite 1535554780.ianonnum nofdeFi events aid=henderit arp_resp=remq arp_src=unt auth_neg_dur=tla auth_neg_failed=arch channel=lite dns_req_rtt=ugia dns_resp=meum dns_server=borumSec duration=91.439000 full_conn=nvolupta identity=tev ip_resp=nre ip_src=10.2.110.73 is_8021x=eturadip is_wpa=ent last_auth_ago=rumSecti radio=Utenima reason=olore rssi=orumS type=olor vap=radip client_mac=01:00:5e:59:bf:36 client_ip=10.230.98.81 instigator=aaliquaU http_resp=olu dhcp_lease_completed=iameaque dhcp_ip=identsun dhcp_server=ender dhcp_server_mac=inc dhcp_resp=tect url=https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq category0=uidolo server=10.103.49.129 vpn_type=oquisq connectivity=abori", "tags": [ "preserve_original_event" @@ -808,9 +607,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694202267Z" - }, "message": "dunt 1536789735.ames amni events aid=tatio arp_resp=amquisno arp_src=modoc auth_neg_dur=magnam auth_neg_failed=uinesc channel=cid dns_req_rtt=emi dns_resp=Bonorum dns_server=lesti duration=59.289000 full_conn=iosamni identity=idu ip_resp=sis ip_src=10.158.61.228 is_8021x=tsedquia is_wpa=its last_auth_ago=umdolor radio=isiu reason=assi rssi=eserun type=rvelill vap=lupta client_mac=01:00:5e:e6:a6:a2 client_ip=10.186.16.20 instigator=tisu http_resp=remagnam dhcp_lease_completed=nvolupt dhcp_ip=meiusm dhcp_server=nidolo dhcp_server_mac=atquovol dhcp_resp=quunt url=https://www.example.com/seq/moll.htm?sunt=dquianon#urExc category0=tDuis server=10.132.176.96 vpn_type=aria connectivity=inim", "tags": [ "preserve_original_event" @@ -820,9 +616,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694203122Z" - }, "message": "oremeumf 1538024689.lesti sintocca events dhcp lease of ip 10.105.136.146 from server mac 01:00:5e:bb:aa:f6 for client mac 01:00:5e:69:92:4a with hostname lors2232.api.example from router 10.46.217.155 on subnet amnihil with dns orissus", "tags": [ "preserve_original_event" @@ -832,9 +625,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694203979Z" - }, "message": "nimadmin 1539259643.lumqui quiavolu flows src=10.245.199.23 dst=10.123.62.215 mac=01:00:5e:1f:7f:1d protocol=udp pattern: 0 iusmodt", "tags": [ "preserve_original_event" @@ -844,9 +634,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694204858Z" - }, "message": "rep 1540494597.remap deri flows cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6 ", "tags": [ "preserve_original_event" @@ -856,9 +643,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694205700Z" - }, "message": "idexeac 1541729552.nimadmin midest_appliance events aid=modt arp_resp=iduntutl arp_src=rsitam auth_neg_dur=xercit auth_neg_failed=ulpaquio channel=itqu dns_req_rtt=minimav dns_resp=smodtem dns_server=roquisqu duration=116.294000 full_conn=iquid identity=evo ip_resp=mcorpori ip_src=10.196.176.243 is_8021x=itesse is_wpa=expl last_auth_ago=essecill radio=totamre reason=rpo rssi=velites type=nonpro vap=nula client_mac=01:00:5e:99:a6:b4 client_ip=10.90.50.149 instigator=nemulla http_resp=asp dhcp_lease_completed=dexercit dhcp_ip=amn dhcp_server=itessequ dhcp_server_mac=porissu dhcp_resp=umd url=https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames category0=tconsec server=10.16.230.121 vpn_type=laboree connectivity=udantiu", "tags": [ "preserve_original_event" @@ -868,9 +652,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694206556Z" - }, "message": "ttenb olor.quiav gna security_event Nem signature=tdolorem priority=eacomm timestamp=1542964506.upidata dhost=01:00:5e:6a:c8:f8 direction=unknown protocol=ipv6 src=10.246.152.72:4293 dst=10.34.62.190:1641 message:eve", "tags": [ "preserve_original_event" @@ -880,9 +661,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694207409Z" - }, "message": "quisn 1544199460.rem ulamcola events dhcp no offers for mac 01:00:5e:67:fc:cb", "tags": [ "preserve_original_event" @@ -892,9 +670,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694208416Z" - }, "message": "eruntmo 1545434414.nimve usanti_ events dhcp release for mac 01:00:5e:7d:de:f7", "tags": [ "preserve_original_event" @@ -904,9 +679,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694209298Z" - }, "message": "uatu 1546669369.olupta consequu_ events dhcp release for mac 01:00:5e:6b:96:f2", "tags": [ "preserve_original_event" @@ -916,9 +688,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694210163Z" - }, "message": "sitam inibusBo.illoin emUtenim ids-alerts signature=ende priority=dexea timestamp=1547904323.acoprotocol=ipv6 src=10.244.32.189 dst=10.121.9.5message: uptas", "tags": [ "preserve_original_event" @@ -928,9 +697,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694211021Z" - }, "message": "edol 1549139277.sequuntu quameius_ events content_filtering_block url='https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor' category0='auto' server='10.41.124.15:333'", "tags": [ "preserve_original_event" @@ -940,9 +706,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694211879Z" - }, "message": "antium 1550374232.remaper eseosq events dhcp no offers for mac 01:00:5e:c3:77:27", "tags": [ "preserve_original_event" @@ -952,9 +715,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694212731Z" - }, "message": "oditau 1551609186.onsec dit events MAC 01:00:5e:19:86:21 and MAC 01:00:5e:ed:ed:79 both claim IP: 10.43.235.230", "tags": [ "preserve_original_event" @@ -964,9 +724,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694213581Z" - }, "message": "asper dictasun.psa lorese_ ids-alerts ctobeat ids-alerts signature=onsec priority=idestl timestamp=1552844140.litani shost=01:00:5e:a0:b2:c9 direction=unknown protocol=icmp src=10.199.19.205:5823 dst=10.103.91.159:7116 message: ntut", "tags": [ "preserve_original_event" @@ -976,9 +733,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694214435Z" - }, "message": "estiaec 1554079094.pitlabo tas_appliance flows src=10.17.111.91 dst=10.65.0.157 mac=01:00:5e:49:c4:17 protocol=udp pattern: 1 nostrum", "tags": [ "preserve_original_event" @@ -988,9 +742,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694215310Z" - }, "message": "ercitati 1555314049.atem serro flows cancel", "tags": [ "preserve_original_event" @@ -1000,9 +751,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694216168Z" - }, "message": "amquaera 1556549003.rsitamet leumiur events MAC 01:00:5e:fd:79:9e and MAC 01:00:5e:4d:c0:dd both claim IP: 10.20.130.88", "tags": [ "preserve_original_event" @@ -1012,9 +760,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694217034Z" - }, "message": "abill ametcon.ofdeFini tasnu_ ids-alerts tionev ids-alerts signature=uasiarch priority=velites timestamp=1557783957.uredolorprotocol=ipv6 src=10.177.64.152 dst=10.140.242.86message: temporin", "tags": [ "preserve_original_event" @@ -1024,9 +769,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694217881Z" - }, "message": "lor nvolupt.dquia ora_ security_event dipi security_event ecatc signature=quovolu priority=ite timestamp=1559018911.itse shost=01:00:5e:b8:73:c8 direction=external protocol=icmp src=10.199.103.185:2449 dst=10.51.121.223:24 message:stenat", "tags": [ "preserve_original_event" @@ -1036,9 +778,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694218727Z" - }, "message": "saq 1560253866.asiarch ssuscipi events MAC 01:00:5e:93:48:61 and MAC 01:00:5e:21:c2:55 both claim IP: 10.126.242.58", "tags": [ "preserve_original_event" @@ -1048,9 +787,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694219588Z" - }, "message": "tlab 1561488820.vel ionevo events dhcp release for mac 01:00:5e:8a:1a:f9", "tags": [ "preserve_original_event" @@ -1060,9 +796,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694220435Z" - }, "message": "aeab 1562723774.uradipis aerat_ flows uira flows deny src=10.121.37.244 dst=10.113.152.241 mac=01:00:5e:9c:86:62 protocol=udp type=utaliqui ", "tags": [ "preserve_original_event" @@ -1072,9 +805,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694221362Z" - }, "message": "nesciu 1563958728.mali roinBCSe_appliance events aid=eetdolor arp_resp=tpersp arp_src=assi auth_neg_dur=rch auth_neg_failed=psa channel=nreprehe dns_req_rtt=pidatatn dns_resp=isno dns_server=luptatev duration=39.622000 full_conn=lla identity=urau ip_resp=aeca ip_src=10.247.118.132 is_8021x=atcupi is_wpa=enima last_auth_ago=uptateve radio=fugitsed reason=lumqui rssi=ectet type=ionu vap=eratv client_mac=01:00:5e:10:8b:c3 client_ip=10.153.33.99 instigator=liq http_resp=xerc dhcp_lease_completed=atisetqu dhcp_ip=squir dhcp_server=gnaaliq dhcp_server_mac=quam dhcp_resp=deriti url=https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae category0=tevel server=10.254.96.130 vpn_type=ita connectivity=iquipexe", "tags": [ "preserve_original_event" @@ -1084,9 +814,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694222247Z" - }, "message": "tot 1565193683.reme emeumfu events aid=inBCSedu arp_resp=ita arp_src=ade auth_neg_dur=nihilmol auth_neg_failed=nder channel=ano dns_req_rtt=rumexer dns_resp=eab dns_server=iaconseq duration=18.963000 full_conn=eli identity=rissusci ip_resp=ectetur ip_src=10.101.13.122 is_8021x=oconsequ is_wpa=roqui last_auth_ago=oluptate radio=ntut reason=mremaper rssi=uteirur type=ntium vap=ide client_mac=01:00:5e:95:ae:d0 client_ip=10.78.143.52 instigator=ntiumdol http_resp=conse dhcp_lease_completed=aturve dhcp_ip=edqui dhcp_server=tvolu dhcp_server_mac=psu dhcp_resp=strud url=https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate category0=udanti server=10.200.98.243 vpn_type=cteturad connectivity=umq", "tags": [ "preserve_original_event" @@ -1096,9 +823,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694223132Z" - }, "message": "oinvento 1566428637.mporin orissusc_appliance events content_filtering_block url='https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec' category0='lorem' server='10.247.205.185:7676' client_mac='01:00:5e:6f:21:c8'", "tags": [ "preserve_original_event" @@ -1108,9 +832,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694223991Z" - }, "message": "metMa emoen.ptate mipsumqu_ ids-alerts ccusa ids-alerts signature=billo priority=doloremi timestamp=1567663591.ectetura dhost=01:00:5e:0a:88:bb direction=inbound protocol=ipv6 src=10.195.90.73:3914 dst=10.147.165.30:7662 message: idents", "tags": [ "preserve_original_event" @@ -1120,9 +841,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694224852Z" - }, "message": "veniamqu 1568898545.iconsequ ueporr_appliance events IDS: empor", "tags": [ "preserve_original_event" @@ -1132,9 +850,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694225698Z" - }, "message": "atDuisa mipsa.uas iat ids-alerts signature=hite priority=adipis timestamp=1570133500.abo dhost=01:00:5e:dd:cb:5b direction=inbound protocol=udp src=10.137.166.97 dst=10.162.202.14 message: ipsaqua", "tags": [ "preserve_original_event" @@ -1144,9 +859,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694226592Z" - }, "message": "deom 1571368454.tiumdo rautod_appliance events content_filtering_block url='https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu' category0='adeserun' server='10.227.135.142:6598'", "tags": [ "preserve_original_event" @@ -1156,9 +868,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694227503Z" - }, "message": "orese 1572603408.umdolore umqui_appliance events MAC 01:00:5e:f1:b8:3a and MAC 01:00:5e:37:9c:af both claim IP: 10.199.29.19", "tags": [ "preserve_original_event" @@ -1168,9 +877,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694228348Z" - }, "message": "explicab 1573838362.samvolu teiru_appliance events dhcp no offers for mac 01:00:5e:b8:06:92", "tags": [ "preserve_original_event" @@ -1180,9 +886,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694229194Z" - }, "message": "rissusci 1575073317.uaturQ iusmod_ events aid=mips arp_resp=iduntutl arp_src=mipsumd auth_neg_dur=eiusmo auth_neg_failed=quelauda channel=rcit dns_req_rtt=dolo dns_resp=ulamc dns_server=doe duration=10.574000 full_conn=remquela identity=toreve ip_resp=squirat ip_src=10.85.59.172 is_8021x=mto is_wpa=iae last_auth_ago=dent radio=Uten reason=tatiset rssi=sequat type=modoco vap=beataevi client_mac=01:00:5e:92:d8:95 client_ip=10.158.215.216 instigator=deritin http_resp=ptate dhcp_lease_completed=lloi dhcp_ip=nseq dhcp_server=equunt dhcp_server_mac=tutla dhcp_resp=usmod url=https://example.com/qui/itse.gif?orsitame=tasn#exeaco category0=upta server=10.75.122.111 vpn_type=reprehe connectivity=deFinib", "tags": [ "preserve_original_event" @@ -1192,9 +895,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T12:04:26.694230048Z" - }, "message": "orr 1576308271.pre aute events IDS: rchite", "tags": [ "preserve_original_event" diff --git a/packages/cisco/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml index a932e4cc8eb..9d52405888d 100644 --- a/packages/cisco/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml @@ -3,9 +3,6 @@ description: Pipeline for Cisco Meraki processors: # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: ecs.version value: '8.0.0' diff --git a/packages/cisco/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml index a9946fcdb8c..0ae3463d969 100644 --- a/packages/cisco/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml @@ -3,9 +3,6 @@ description: Pipeline for Cisco Nexus processors: # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: ecs.version value: '8.0.0' diff --git a/packages/cisco/manifest.yml b/packages/cisco/manifest.yml index f0d99411a74..97ab3fcce30 100644 --- a/packages/cisco/manifest.yml +++ b/packages/cisco/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco title: Cisco -version: 0.13.1 +version: 0.13.2 license: basic description: Deprecated. Use a specific Cisco package instead. type: integration diff --git a/packages/cisco_duo/changelog.yml b/packages/cisco_duo/changelog.yml index 5470b4b10cc..9a2c19a3353 100644 --- a/packages/cisco_duo/changelog.yml +++ b/packages/cisco_duo/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.2" + changes: + - description: Make fields agree with ECS + type: bugfix + link: https://github.com/elastic/integrations/pull/3018 - version: "1.1.1" changes: - description: Add documentation for multi-fields diff --git a/packages/cisco_duo/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json b/packages/cisco_duo/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json index f39238f796c..6e4a6225320 100644 --- a/packages/cisco_duo/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json +++ b/packages/cisco_duo/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json @@ -2,293 +2,285 @@ "expected": [ { "@timestamp": "2021-07-20T11:41:31.000Z", + "cisco_duo": { + "admin": { + "action": "activation_begin", + "user": { + "name": "narroway" + } + } + }, "ecs": { "version": "8.0.0" }, "event": { "action": "activation_begin", - "ingested": "2021-12-29T09:37:47.270933529Z", - "original": "{\"action\":\"activation_begin\",\"description\":null,\"isotimestamp\":\"2021-07-20T11: 41: 31+00: 00\",\"object\":null,\"timestamp\":1626781291,\"username\":\"narroway\"}", "kind": "event", + "original": "{\"action\":\"activation_begin\",\"description\":null,\"isotimestamp\":\"2021-07-20T11: 41: 31+00: 00\",\"object\":null,\"timestamp\":1626781291,\"username\":\"narroway\"}", "outcome": "success" }, - "user": { - "name": "narroway" - }, "tags": [ "preserve_original_event" ], - "cisco_duo": { - "admin": { - "action": "activation_begin", - "user": { - "name": "narroway" - } - } + "user": { + "name": "narroway" } }, { "@timestamp": "2021-07-20T11:44:37.000Z", + "cisco_duo": { + "admin": { + "action": "admin_activate_duo_push", + "action_performed_on": "940-967-2177", + "flattened": { + "number": "+12345678901" + } + } + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2021-12-29T09:37:47.270944711Z", - "original": "{\"action\":\"admin_activate_duo_push\",\"description\":\"{\\\"number\\\": \\\"+12345678901\\\", \\\"extension\\\": \\\"\\\"}\",\"isotimestamp\":\"2021-07-20T11:44:37+00:00\",\"object\":\"940-967-2177\",\"timestamp\":1626781477,\"username\":\"\"}", - "kind": "event", "action": "admin_activate_duo_push", "category": "iam", + "kind": "event", + "original": "{\"action\":\"admin_activate_duo_push\",\"description\":\"{\\\"number\\\": \\\"+12345678901\\\", \\\"extension\\\": \\\"\\\"}\",\"isotimestamp\":\"2021-07-20T11:44:37+00:00\",\"object\":\"940-967-2177\",\"timestamp\":1626781477,\"username\":\"\"}", + "outcome": "success", "type": [ "admin" - ], - "outcome": "success" - }, - "user": { - "target": { - "name": "940-967-2177" - } + ] }, "tags": [ "preserve_original_event" ], - "cisco_duo": { - "admin": { - "flattened": { - "number": "+12345678901" - }, - "action_performed_on": "940-967-2177", - "action": "admin_activate_duo_push" + "user": { + "target": { + "name": "940-967-2177" } } }, { "@timestamp": "2021-07-20T11:41:31.000Z", + "cisco_duo": { + "admin": { + "action": "activation_begin", + "user": { + "name": "narroway" + } + } + }, "ecs": { "version": "8.0.0" }, "event": { - "reason": "Starting activation process", "action": "activation_begin", - "ingested": "2021-12-29T09:37:47.270947855Z", - "original": "{\"action\":\"activation_begin\",\"description\":\"Starting activation process\",\"isotimestamp\":\"2021-07-20T11: 41: 31+00: 00\",\"object\":null,\"timestamp\":1626781291,\"username\":\"narroway\"}", "kind": "event", - "outcome": "success" + "original": "{\"action\":\"activation_begin\",\"description\":\"Starting activation process\",\"isotimestamp\":\"2021-07-20T11: 41: 31+00: 00\",\"object\":null,\"timestamp\":1626781291,\"username\":\"narroway\"}", + "outcome": "success", + "reason": "Starting activation process" }, "message": "Starting activation process", - "user": { - "name": "narroway" - }, "tags": [ "preserve_original_event" ], + "user": { + "name": "narroway" + } + }, + { + "@timestamp": "2021-07-20T11:44:09.000Z", "cisco_duo": { "admin": { - "action": "activation_begin", + "action": "activation_set_password", + "action_performed_on": "narroway", "user": { "name": "narroway" } } - } - }, - { - "@timestamp": "2021-07-20T11:44:09.000Z", + }, "ecs": { "version": "8.0.0" }, "event": { "action": "activation_set_password", - "ingested": "2021-12-29T09:37:47.270948731Z", - "original": "{\"action\":\"activation_set_password\",\"description\":null,\"isotimestamp\":\"2021-07-20T11: 44: 09+00: 00\",\"object\":\"narroway\",\"timestamp\":1626781449,\"username\":\"narroway\"}", "kind": "event", + "original": "{\"action\":\"activation_set_password\",\"description\":null,\"isotimestamp\":\"2021-07-20T11: 44: 09+00: 00\",\"object\":\"narroway\",\"timestamp\":1626781449,\"username\":\"narroway\"}", "outcome": "success" }, + "tags": [ + "preserve_original_event" + ], "user": { "name": "narroway", "target": { "name": "narroway" } - }, - "tags": [ - "preserve_original_event" - ], + } + }, + { + "@timestamp": "2021-07-20T11:44:37.000Z", "cisco_duo": { "admin": { - "action_performed_on": "narroway", - "action": "activation_set_password", + "action": "admin_self_activate", + "action_performed_on": "jsmith", + "flattened": { + "email": "narroway@example.com", + "is_temporary_password": false, + "name": "narroway", + "phone": "+12345678901", + "restricted_by_admin_units": false, + "role": "Owner", + "status": "Pending Activation" + }, "user": { "name": "narroway" } } - } - }, - { - "@timestamp": "2021-07-20T11:44:37.000Z", + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2021-12-29T09:37:47.270949599Z", - "original": "{\"action\":\"admin_self_activate\",\"description\":\"{\\\"name\\\": \\\"narroway\\\", \\\"phone\\\": \\\"+12345678901\\\", \\\"is_temporary_password\\\": false, \\\"email\\\": \\\"narroway@example.com\\\", \\\"hardtoken\\\": null, \\\"role\\\": \\\"Owner\\\", \\\"status\\\": \\\"Pending Activation\\\", \\\"restricted_by_admin_units\\\": false, \\\"administrative_units\\\": \\\"\\\"}\",\"isotimestamp\":\"2021-07-20T11:44:37+00:00\",\"object\":\"jsmith\",\"timestamp\":1626781477,\"username\":\"narroway\"}", - "kind": "event", "action": "admin_self_activate", "category": "iam", + "kind": "event", + "original": "{\"action\":\"admin_self_activate\",\"description\":\"{\\\"name\\\": \\\"narroway\\\", \\\"phone\\\": \\\"+12345678901\\\", \\\"is_temporary_password\\\": false, \\\"email\\\": \\\"narroway@example.com\\\", \\\"hardtoken\\\": null, \\\"role\\\": \\\"Owner\\\", \\\"status\\\": \\\"Pending Activation\\\", \\\"restricted_by_admin_units\\\": false, \\\"administrative_units\\\": \\\"\\\"}\",\"isotimestamp\":\"2021-07-20T11:44:37+00:00\",\"object\":\"jsmith\",\"timestamp\":1626781477,\"username\":\"narroway\"}", + "outcome": "success", "type": [ "admin" - ], - "outcome": "success" + ] }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "narroway", "email": "narroway@example.com", + "name": "narroway", "target": { "name": "jsmith" } - }, - "tags": [ - "preserve_original_event" - ], + } + }, + { + "@timestamp": "2021-07-20T11:45:11.000Z", "cisco_duo": { "admin": { + "action": "admin_update", + "action_performed_on": "narroway", "flattened": { - "role": "Owner", - "phone": "+12345678901", - "restricted_by_admin_units": false, - "name": "narroway", - "is_temporary_password": false, - "email": "narroway@example.com", - "status": "Pending Activation" + "phone": "+451234567890" }, - "action_performed_on": "jsmith", - "action": "admin_self_activate", "user": { "name": "narroway" } } - } - }, - { - "@timestamp": "2021-07-20T11:45:11.000Z", + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2021-12-29T09:37:47.270950423Z", - "original": "{\"action\":\"admin_update\",\"description\":\"{\\\"phone\\\": \\\"+451234567890\\\"}\",\"isotimestamp\":\"2021-07-20T11:45:11+00:00\",\"object\":\"narroway\",\"timestamp\":1626781511,\"username\":\"narroway\"}", - "kind": "event", "action": "admin_update", "category": "iam", + "kind": "event", + "original": "{\"action\":\"admin_update\",\"description\":\"{\\\"phone\\\": \\\"+451234567890\\\"}\",\"isotimestamp\":\"2021-07-20T11:45:11+00:00\",\"object\":\"narroway\",\"timestamp\":1626781511,\"username\":\"narroway\"}", + "outcome": "success", "type": [ "admin", "change" - ], - "outcome": "success" + ] }, + "tags": [ + "preserve_original_event" + ], "user": { "name": "narroway", "target": { "name": "narroway" } - }, - "tags": [ - "preserve_original_event" - ], + } + }, + { + "@timestamp": "2021-07-20T11:45:11.000Z", "cisco_duo": { "admin": { + "action": "user_update", + "action_performed_on": "narroway", "flattened": { - "phone": "+451234567890" + "Sync Ref. Code": "41c7e5714a91d17dea11157539d5d1ac", + "realname": "test 4" }, - "action_performed_on": "narroway", - "action": "admin_update", "user": { "name": "narroway" } } - } - }, - { - "@timestamp": "2021-07-20T11:45:11.000Z", + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2021-12-29T09:37:47.270951256Z", - "original": "{\"action\":\"user_update\",\"description\":\"{\\\"realname\\\": \\\"test 4\\\", \\\"Sync Ref. Code\\\": \\\"41c7e5714a91d17dea11157539d5d1ac\\\"}\",\"isotimestamp\":\"2021-07-20T11:45:11+00:00\",\"object\":\"narroway\",\"timestamp\":1626781511,\"username\":\"narroway\"}", - "kind": "event", "action": "user_update", "category": "iam", + "kind": "event", + "original": "{\"action\":\"user_update\",\"description\":\"{\\\"realname\\\": \\\"test 4\\\", \\\"Sync Ref. Code\\\": \\\"41c7e5714a91d17dea11157539d5d1ac\\\"}\",\"isotimestamp\":\"2021-07-20T11:45:11+00:00\",\"object\":\"narroway\",\"timestamp\":1626781511,\"username\":\"narroway\"}", + "outcome": "success", "type": [ "user", "change" - ], - "outcome": "success" + ] }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "narroway", "changes": { "name": "test 4" }, + "name": "narroway", "target": { "name": "narroway" } - }, - "tags": [ - "preserve_original_event" - ], + } + }, + { + "@timestamp": "2021-07-20T11:45:11.000Z", "cisco_duo": { "admin": { + "action": "user_update", + "action_performed_on": "narroway", "flattened": { "Sync Ref. Code": "41c7e5714a91d17dea11157539d5d1ac", - "realname": "test 4" + "email": "narroway@example.com" }, - "action_performed_on": "narroway", - "action": "user_update", "user": { "name": "narroway" } } - } - }, - { - "@timestamp": "2021-07-20T11:45:11.000Z", + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2021-12-29T09:37:47.270952063Z", - "original": "{\"action\":\"user_update\",\"description\":\"{\\\"email\\\": \\\"narroway@example.com\\\", \\\"Sync Ref. Code\\\": \\\"41c7e5714a91d17dea11157539d5d1ac\\\"}\",\"isotimestamp\":\"2021-07-20T11:45:11+00:00\",\"object\":\"narroway\",\"timestamp\":1626781511,\"username\":\"narroway\"}", - "kind": "event", "action": "user_update", "category": "iam", + "kind": "event", + "original": "{\"action\":\"user_update\",\"description\":\"{\\\"email\\\": \\\"narroway@example.com\\\", \\\"Sync Ref. Code\\\": \\\"41c7e5714a91d17dea11157539d5d1ac\\\"}\",\"isotimestamp\":\"2021-07-20T11:45:11+00:00\",\"object\":\"narroway\",\"timestamp\":1626781511,\"username\":\"narroway\"}", + "outcome": "success", "type": [ "user", "change" - ], - "outcome": "success" + ] }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "narroway", "changes": { "email": "narroway@example.com" }, + "name": "narroway", "target": { "name": "narroway" } - }, - "tags": [ - "preserve_original_event" - ], - "cisco_duo": { - "admin": { - "flattened": { - "email": "narroway@example.com", - "Sync Ref. Code": "41c7e5714a91d17dea11157539d5d1ac" - }, - "action_performed_on": "narroway", - "action": "user_update", - "user": { - "name": "narroway" - } - } } } ] diff --git a/packages/cisco_duo/data_stream/admin/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/data_stream/admin/elasticsearch/ingest_pipeline/default.yml index 06c0a1fbea0..50fd05d84f1 100644 --- a/packages/cisco_duo/data_stream/admin/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_duo/data_stream/admin/elasticsearch/ingest_pipeline/default.yml @@ -1,9 +1,6 @@ --- description: Pipeline for parsing cisco_duo administrator logs processors: - - set: - field: event.ingested - value: "{{{_ingest.timestamp}}}" - set: field: ecs.version value: '8.0.0' @@ -42,7 +39,7 @@ processors: value: success - set: field: event.outcome - value: failed + value: failure if: ctx?.json?.action instanceof String && ['ad_sync_failed','admin_2fa_error','admin_login_error','azure_sync_fail','openldap_sync_failed'].contains(ctx?.json?.action) - append: field: event.type diff --git a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json index c180bac4f72..dc350dbbf4e 100644 --- a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json +++ b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json @@ -2,9 +2,54 @@ "expected": [ { "@timestamp": "2020-02-13T18:56:20.000Z", + "cisco_duo": { + "auth": { + "access_device": { + "flash_version": "uninstalled", + "ip": "89.160.20.156", + "is_encryption_enabled": "true", + "is_firewall_enabled": "true", + "is_password_set": "true", + "java_version": "uninstalled", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + } + }, + "application": { + "key": "DIY231J8BR23QK4UKBY8", + "name": "Microsoft Azure Active Directory" + }, + "auth_device": { + "ip": "192.168.225.254", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "name": "My iPhone X (734-555-2342)" + }, + "email": "narroway@example.com", + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_approved", + "result": "success", + "trusted_endpoint_status": "not trusted", + "txid": "340a23e3-23f3-23c1-87dc-1491a23dfdbb" + } + }, "ecs": { "version": "8.0.0" }, + "event": { + "category": "authentication", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"67.0.3396.99\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":true,\"is_firewall_enabled\":true,\"is_password_set\":true,\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Mac OS X\",\"os_version\":\"10.14.1\",\"security_agents\":[]},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":\"192.168.225.254\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"My iPhone X (734-555-2342)\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2020-02-13T18:56:20.351346+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1581620180,\"trusted_endpoint_status\":\"not trusted\",\"txid\":\"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\"user\":{\"groups\":[\"Duo Users\",\"CorpHQ Users\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway@example.com\"}}", + "outcome": "success", + "reason": "user_approved", + "type": "info" + }, "related": { "ip": [ "89.160.20.156", @@ -12,581 +57,531 @@ ] }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, + "address": "89.160.20.156", "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, - "address": "89.160.20.156", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "user": { - "name": "narroway@example.com", - "id": "DU3KC77WJ06Y5HIV7XKQ", "email": "narroway@example.com", "group": { "name": [ "Duo Users", "CorpHQ Users" ] - } - }, - "ip": "89.160.20.156" - }, - "event": { - "reason": "user_approved", - "ingested": "2021-12-29T09:37:48.755124421Z", - "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"67.0.3396.99\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":true,\"is_firewall_enabled\":true,\"is_password_set\":true,\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Mac OS X\",\"os_version\":\"10.14.1\",\"security_agents\":[]},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":\"192.168.225.254\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"My iPhone X (734-555-2342)\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2020-02-13T18:56:20.351346+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1581620180,\"trusted_endpoint_status\":\"not trusted\",\"txid\":\"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\"user\":{\"groups\":[\"Duo Users\",\"CorpHQ Users\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway@example.com\"}}", - "kind": "event", - "category": "authentication", - "type": "info", - "outcome": "success" + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway@example.com" + } }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "narroway@example.com", "email": "narroway@example.com", - "id": "DU3KC77WJ06Y5HIV7XKQ" + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway@example.com" }, "user_agent": { + "name": "Chrome", "os": { "name": "Mac OS X", "version": "10.14.1" }, - "name": "Chrome", "version": "67.0.3396.99" - }, - "tags": [ - "preserve_original_event" - ], + } + }, + { + "@timestamp": "2021-07-23T07:21:51.000Z", "cisco_duo": { "auth": { - "result": "success", - "reason": "user_approved", "access_device": { - "is_password_set": "true", "flash_version": "uninstalled", "ip": "89.160.20.156", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", "java_version": "uninstalled", "location": { - "country": "United States", "city": "Ann Arbor", + "country": "United States", "state": "Michigan" - }, - "is_encryption_enabled": "true", - "is_firewall_enabled": "true" + } }, - "event_type": "authentication", "application": { - "name": "Microsoft Azure Active Directory", - "key": "DIY231J8BR23QK4UKBY8" + "key": "DIY231J8BR23QK4UKBY8", + "name": "Duo Access Gateway Launcher" }, - "txid": "340a23e3-23f3-23c1-87dc-1491a23dfdbb", - "factor": "duo_push", "auth_device": { - "name": "My iPhone X (734-555-2342)", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "location": { - "country": "United States", "city": "Ann Arbor", + "country": "United States", "state": "Michigan" }, - "ip": "192.168.225.254" + "name": "+91 12345 12345" }, "email": "narroway@example.com", - "trusted_endpoint_status": "not trusted" + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_approved", + "result": "success", + "txid": "fa59a691-9139-43e9-9854-f9e1dbf72af5" } - } - }, - { - "@timestamp": "2021-07-23T07:21:51.000Z", + }, "ecs": { "version": "8.0.0" }, + "event": { + "category": "authentication", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"89.160.20.156\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:21:51.271776+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1627024911,\"txid\":\"fa59a691-9139-43e9-9854-f9e1dbf72af5\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "outcome": "success", + "reason": "user_approved", + "type": "info" + }, "related": { "ip": [ "89.160.20.156" ] }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, + "address": "89.160.20.156", "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, - "address": "89.160.20.156", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "user": { - "name": "narroway", - "id": "DU3KC77WJ06Y5HIV7XKQ", "email": "narroway@example.com", "group": { "name": [ "AD Sync" ] - } - }, - "ip": "89.160.20.156" - }, - "event": { - "reason": "user_approved", - "ingested": "2021-12-29T09:37:48.755127038Z", - "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"89.160.20.156\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:21:51.271776+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1627024911,\"txid\":\"fa59a691-9139-43e9-9854-f9e1dbf72af5\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", - "kind": "event", - "category": "authentication", - "type": "info", - "outcome": "success" + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + } }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "narroway", "email": "narroway@example.com", - "id": "DU3KC77WJ06Y5HIV7XKQ" + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" }, "user_agent": { + "name": "Chrome", "os": { "name": "Windows", "version": "10" }, - "name": "Chrome", "version": "92.0.4515.107" - }, - "tags": [ - "preserve_original_event" - ], + } + }, + { + "@timestamp": "2021-08-12T09:14:23.000Z", "cisco_duo": { "auth": { - "result": "success", - "reason": "user_approved", "access_device": { - "is_password_set": "unknown", "flash_version": "uninstalled", "ip": "89.160.20.156", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", "java_version": "uninstalled", "location": { - "country": "United States", "city": "Ann Arbor", + "country": "United States", "state": "Michigan" - }, - "is_encryption_enabled": "unknown", - "is_firewall_enabled": "unknown" + } }, - "event_type": "authentication", "application": { - "name": "Duo Access Gateway Launcher", - "key": "DIY231J8BR23QK4UKBY8" + "key": "DIY231J8BR23QK4UKBY8", + "name": "Duo Access Gateway Launcher" }, - "txid": "fa59a691-9139-43e9-9854-f9e1dbf72af5", - "factor": "duo_push", "auth_device": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, - "name": "+91 12345 12345", "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "location": { - "country": "United States", "city": "Ann Arbor", + "country": "United States", "state": "Michigan" }, - "ip": "89.160.20.156" + "name": "+91 12345 12345" }, - "email": "narroway@example.com" + "email": "narroway@example.com", + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_approved", + "result": "success", + "txid": "861a81e7-1f60-4865-95eb-57d9c43ce073" } - } - }, - { - "@timestamp": "2021-08-12T09:14:23.000Z", + }, "ecs": { "version": "8.0.0" }, + "event": { + "category": "authentication", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.131\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"89.160.20.156\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-08-12T09:14:23.060168+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1628759663,\"txid\":\"861a81e7-1f60-4865-95eb-57d9c43ce073\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "outcome": "success", + "reason": "user_approved", + "type": "info" + }, "related": { "ip": [ "89.160.20.156" ] }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, + "address": "89.160.20.156", "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, - "address": "89.160.20.156", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "user": { - "name": "narroway", - "id": "DU3KC77WJ06Y5HIV7XKQ", "email": "narroway@example.com", "group": { "name": [ "AD Sync" ] - } - }, - "ip": "89.160.20.156" - }, - "event": { - "reason": "user_approved", - "ingested": "2021-12-29T09:37:48.755127957Z", - "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.131\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"89.160.20.156\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-08-12T09:14:23.060168+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1628759663,\"txid\":\"861a81e7-1f60-4865-95eb-57d9c43ce073\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", - "kind": "event", - "category": "authentication", - "type": "info", - "outcome": "success" + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + } }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "narroway", "email": "narroway@example.com", - "id": "DU3KC77WJ06Y5HIV7XKQ" + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" }, "user_agent": { + "name": "Chrome", "os": { "name": "Windows", "version": "10" }, - "name": "Chrome", "version": "92.0.4515.131" - }, - "tags": [ - "preserve_original_event" - ], + } + }, + { + "@timestamp": "2021-07-23T07:20:54.000Z", "cisco_duo": { "auth": { - "result": "success", - "reason": "user_approved", "access_device": { - "is_password_set": "unknown", "flash_version": "uninstalled", "ip": "89.160.20.156", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", "java_version": "uninstalled", "location": { - "country": "United States", "city": "Ann Arbor", + "country": "United States", "state": "Michigan" - }, - "is_encryption_enabled": "unknown", - "is_firewall_enabled": "unknown" + } }, - "event_type": "authentication", "application": { - "name": "Duo Access Gateway Launcher", - "key": "DIY231J8BR23QK4UKBY8" + "key": "DIY231J8BR23QK4UKBY8", + "name": "Duo Access Gateway Launcher" }, - "txid": "861a81e7-1f60-4865-95eb-57d9c43ce073", - "factor": "duo_push", "auth_device": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, - "name": "+91 12345 12345", "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "location": { - "country": "United States", "city": "Ann Arbor", + "country": "United States", "state": "Michigan" }, - "ip": "89.160.20.156" + "name": "+91 12345 12345" }, - "email": "narroway@example.com" + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_marked_fraud", + "result": "fraud", + "txid": "78e1a910-350b-4226-828b-edb0ac2f2e3c" } - } - }, - { - "@timestamp": "2021-07-23T07:20:54.000Z", + }, "ecs": { "version": "8.0.0" }, + "event": { + "category": "authentication", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"89.160.20.156\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:20:54.700050+00:00\",\"ood_software\":null,\"reason\":\"user_marked_fraud\",\"result\":\"fraud\",\"timestamp\":1627024854,\"txid\":\"78e1a910-350b-4226-828b-edb0ac2f2e3c\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "outcome": "failed", + "reason": "user_marked_fraud", + "type": "info" + }, "related": { "ip": [ "89.160.20.156" ] }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, + "address": "89.160.20.156", "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, - "address": "89.160.20.156", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "user": { - "name": "narroway", - "id": "DU3KC77WJ06Y5HIV7XKQ", "group": { "name": [ "AD Sync" ] - } - }, - "ip": "89.160.20.156" - }, - "event": { - "reason": "user_marked_fraud", - "ingested": "2021-12-29T09:37:48.755128760Z", - "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"89.160.20.156\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:20:54.700050+00:00\",\"ood_software\":null,\"reason\":\"user_marked_fraud\",\"result\":\"fraud\",\"timestamp\":1627024854,\"txid\":\"78e1a910-350b-4226-828b-edb0ac2f2e3c\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", - "kind": "event", - "category": "authentication", - "type": "info", - "outcome": "failed" + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + } }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "narroway", - "id": "DU3KC77WJ06Y5HIV7XKQ" + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" }, "user_agent": { + "name": "Chrome", "os": { "name": "Windows", "version": "10" }, - "name": "Chrome", "version": "92.0.4515.107" - }, - "tags": [ - "preserve_original_event" - ], + } + }, + { + "@timestamp": "2021-07-23T07:19:34.000Z", "cisco_duo": { "auth": { - "result": "fraud", - "reason": "user_marked_fraud", "access_device": { - "is_password_set": "unknown", "flash_version": "uninstalled", "ip": "89.160.20.156", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", "java_version": "uninstalled", "location": { - "country": "United States", "city": "Ann Arbor", + "country": "United States", "state": "Michigan" - }, - "is_encryption_enabled": "unknown", - "is_firewall_enabled": "unknown" + } }, - "event_type": "authentication", "application": { - "name": "Duo Access Gateway Launcher", - "key": "DIY231J8BR23QK4UKBY8" + "key": "DIY231J8BR23QK4UKBY8", + "name": "Duo Access Gateway Launcher" }, - "txid": "78e1a910-350b-4226-828b-edb0ac2f2e3c", - "factor": "duo_push", "auth_device": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, - "name": "+91 12345 12345", "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "location": { - "country": "United States", "city": "Ann Arbor", + "country": "United States", "state": "Michigan" }, - "ip": "89.160.20.156" - } + "name": "+91 12345 12345" + }, + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_mistake", + "result": "denied", + "txid": "e22120cd-7388-424f-aa0a-b60cad42d8f3" } - } - }, - { - "@timestamp": "2021-07-23T07:19:34.000Z", + }, "ecs": { "version": "8.0.0" }, + "event": { + "category": "authentication", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"89.160.20.156\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:19:34.702203+00:00\",\"ood_software\":null,\"reason\":\"user_mistake\",\"result\":\"denied\",\"timestamp\":1627024774,\"txid\":\"e22120cd-7388-424f-aa0a-b60cad42d8f3\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "outcome": "failed", + "reason": "user_mistake", + "type": "info" + }, "related": { "ip": [ "89.160.20.156" ] }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, + "address": "89.160.20.156", "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, - "address": "89.160.20.156", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "user": { - "name": "narroway", - "id": "DU3KC77WJ06Y5HIV7XKQ", "group": { "name": [ "AD Sync" ] - } - }, - "ip": "89.160.20.156" - }, - "event": { - "reason": "user_mistake", - "ingested": "2021-12-29T09:37:48.755129544Z", - "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"89.160.20.156\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:19:34.702203+00:00\",\"ood_software\":null,\"reason\":\"user_mistake\",\"result\":\"denied\",\"timestamp\":1627024774,\"txid\":\"e22120cd-7388-424f-aa0a-b60cad42d8f3\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", - "kind": "event", - "category": "authentication", - "type": "info", - "outcome": "failed" + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + } }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "narroway", - "id": "DU3KC77WJ06Y5HIV7XKQ" + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" }, "user_agent": { + "name": "Chrome", "os": { "name": "Windows", "version": "10" }, - "name": "Chrome", "version": "92.0.4515.107" - }, - "tags": [ - "preserve_original_event" - ], - "cisco_duo": { - "auth": { - "result": "denied", - "reason": "user_mistake", - "access_device": { - "is_password_set": "unknown", - "flash_version": "uninstalled", - "ip": "89.160.20.156", - "java_version": "uninstalled", - "location": { - "country": "United States", - "city": "Ann Arbor", - "state": "Michigan" - }, - "is_encryption_enabled": "unknown", - "is_firewall_enabled": "unknown" - }, - "event_type": "authentication", - "application": { - "name": "Duo Access Gateway Launcher", - "key": "DIY231J8BR23QK4UKBY8" - }, - "txid": "e22120cd-7388-424f-aa0a-b60cad42d8f3", - "factor": "duo_push", - "auth_device": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, - "name": "+91 12345 12345", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "location": { - "country": "United States", - "city": "Ann Arbor", - "state": "Michigan" - }, - "ip": "89.160.20.156" - } - } } } ] diff --git a/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml index b7d397641ff..7aa4a99edee 100644 --- a/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml @@ -1,9 +1,6 @@ --- description: Pipeline for parsing cisco_duo authentication logs processors: - - set: - field: event.ingested - value: "{{{_ingest.timestamp}}}" - set: field: ecs.version value: '8.0.0' diff --git a/packages/cisco_duo/data_stream/offline_enrollment/_dev/test/pipeline/test-offline-enrollment.log-expected.json b/packages/cisco_duo/data_stream/offline_enrollment/_dev/test/pipeline/test-offline-enrollment.log-expected.json index 93d2745e4a7..5a5176b28c5 100644 --- a/packages/cisco_duo/data_stream/offline_enrollment/_dev/test/pipeline/test-offline-enrollment.log-expected.json +++ b/packages/cisco_duo/data_stream/offline_enrollment/_dev/test/pipeline/test-offline-enrollment.log-expected.json @@ -2,19 +2,6 @@ "expected": [ { "@timestamp": "2019-08-30T16:10:05.000Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2021-12-29T09:37:52.266080492Z", - "original": "{\"action\": \"o2fa_user_provisioned\",\"description\": \"{\\\"user_agent\\\": \\\"DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)\\\", \\\"hostname\\\": \\\"WKSW10x64\\\", \\\"factor\\\": \\\"duo_otp\\\"}\",\"isotimestamp\": \"2019-08-30T16:10:05+00:00\",\"object\": \"Acme Laptop Windows Logon\",\"timestamp\": 1567181405,\"username\": \"narroway\"}" - }, - "user": { - "name": "narroway" - }, - "tags": [ - "preserve_original_event" - ], "cisco_duo": { "offline_enrollment": { "action": "o2fa_user_provisioned", @@ -23,11 +10,23 @@ "hostname": "WKSW10x64", "user_agent": "DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)" }, + "object": "Acme Laptop Windows Logon", "user": { "name": "narroway" - }, - "object": "Acme Laptop Windows Logon" + } } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "original": "{\"action\": \"o2fa_user_provisioned\",\"description\": \"{\\\"user_agent\\\": \\\"DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)\\\", \\\"hostname\\\": \\\"WKSW10x64\\\", \\\"factor\\\": \\\"duo_otp\\\"}\",\"isotimestamp\": \"2019-08-30T16:10:05+00:00\",\"object\": \"Acme Laptop Windows Logon\",\"timestamp\": 1567181405,\"username\": \"narroway\"}" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "narroway" } } ] diff --git a/packages/cisco_duo/data_stream/offline_enrollment/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/data_stream/offline_enrollment/elasticsearch/ingest_pipeline/default.yml index a25ff04d97e..46574aa431d 100644 --- a/packages/cisco_duo/data_stream/offline_enrollment/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_duo/data_stream/offline_enrollment/elasticsearch/ingest_pipeline/default.yml @@ -1,9 +1,6 @@ --- description: Pipeline for parsing cisco_duo offline enrollment logs processors: - - set: - field: event.ingested - value: "{{{_ingest.timestamp}}}" - set: field: ecs.version value: '8.0.0' diff --git a/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json b/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json index b8bcf7e25b4..bb0af762e40 100644 --- a/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json +++ b/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json @@ -1,17 +1,7 @@ { "expected": [ { - "@timestamp": "2021-12-29T09:37:52.958306807Z", - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2021-12-29T09:37:52.958306807Z", - "original": "{\"response\":{\"admin_count\":6,\"integration_count\":5,\"telephony_credits_remaining\":473,\"user_count\":4},\"stat\":\"OK\"}" - }, - "tags": [ - "preserve_original_event" - ], + "@timestamp": "2022-04-06T12:48:57.401820100Z", "cisco_duo": { "summary": { "admin_count": 6, @@ -19,20 +9,19 @@ "telephony_credits_remaining": 473, "user_count": 4 } - } - }, - { - "@timestamp": "2021-12-29T09:37:52.958309870Z", + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2021-12-29T09:37:52.958309870Z", - "original": "{\"response\":{\"admin_count\":3,\"integration_count\":9,\"telephony_credits_remaining\":960,\"user_count\":8},\"stat\":\"OK\"}" + "original": "{\"response\":{\"admin_count\":6,\"integration_count\":5,\"telephony_credits_remaining\":473,\"user_count\":4},\"stat\":\"OK\"}" }, "tags": [ "preserve_original_event" - ], + ] + }, + { + "@timestamp": "2022-04-06T12:48:57.401826300Z", "cisco_duo": { "summary": { "admin_count": 3, @@ -40,7 +29,16 @@ "telephony_credits_remaining": 960, "user_count": 8 } - } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "original": "{\"response\":{\"admin_count\":3,\"integration_count\":9,\"telephony_credits_remaining\":960,\"user_count\":8},\"stat\":\"OK\"}" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_duo/data_stream/summary/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/data_stream/summary/elasticsearch/ingest_pipeline/default.yml index e2d04020cd3..1f32382e23c 100644 --- a/packages/cisco_duo/data_stream/summary/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_duo/data_stream/summary/elasticsearch/ingest_pipeline/default.yml @@ -1,9 +1,6 @@ --- description: Pipeline for parsing cisco_duo summary logs processors: - - set: - field: event.ingested - value: "{{{_ingest.timestamp}}}" - set: field: ecs.version value: '8.0.0' diff --git a/packages/cisco_duo/data_stream/telephony/_dev/test/pipeline/test-telephony.log-expected.json b/packages/cisco_duo/data_stream/telephony/_dev/test/pipeline/test-telephony.log-expected.json index d7e3ceb4b07..158dac53dd7 100644 --- a/packages/cisco_duo/data_stream/telephony/_dev/test/pipeline/test-telephony.log-expected.json +++ b/packages/cisco_duo/data_stream/telephony/_dev/test/pipeline/test-telephony.log-expected.json @@ -2,69 +2,66 @@ "expected": [ { "@timestamp": "2021-07-22T12:59:30.000Z", + "cisco_duo": { + "telephony": { + "credits": 5, + "event_type": "administrator login", + "phone_number": "+121234512345", + "type": "phone" + } + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2021-12-29T09:37:53.175332756Z", "kind": "event", "original": "{\"context\":\"administrator login\",\"credits\":5,\"isotimestamp\":\"2021-07-22T12:59:30+00:00\",\"phone\":\"+121234512345\",\"timestamp\":1626958770,\"type\":\"phone\"}" }, "tags": [ "preserve_original_event" - ], + ] + }, + { + "@timestamp": "2021-08-16T06:03:32.000Z", "cisco_duo": { "telephony": { + "credits": 1, + "event_type": "verify", "phone_number": "+121234512345", - "event_type": "administrator login", - "type": "phone", - "credits": 5 + "type": "sms" } - } - }, - { - "@timestamp": "2021-08-16T06:03:32.000Z", + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2021-12-29T09:37:53.175335209Z", "kind": "event", "original": "{\"context\":\"verify\",\"credits\":1,\"isotimestamp\":\"2021-08-16T06:03:32+00:00\",\"phone\":\"+121234512345\",\"timestamp\":1629093812,\"type\":\"sms\"}" }, "tags": [ "preserve_original_event" - ], + ] + }, + { + "@timestamp": "2020-03-20T15:38:12.000Z", "cisco_duo": { "telephony": { + "credits": 1, + "event_type": "authentication", "phone_number": "+121234512345", - "event_type": "verify", - "type": "sms", - "credits": 1 + "type": "sms" } - } - }, - { - "@timestamp": "2020-03-20T15:38:12.000Z", + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2021-12-29T09:37:53.175336142Z", "kind": "event", "original": "{\"context\": \"authentication\",\"credits\": 1,\"isotimestamp\":\"2020-03-20T15:38:12+00:00\",\"phone\":\"+121234512345\",\"timestamp\":1584718692,\"type\":\"sms\"}" }, "tags": [ "preserve_original_event" - ], - "cisco_duo": { - "telephony": { - "phone_number": "+121234512345", - "event_type": "authentication", - "type": "sms", - "credits": 1 - } - } + ] } ] } \ No newline at end of file diff --git a/packages/cisco_duo/data_stream/telephony/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/data_stream/telephony/elasticsearch/ingest_pipeline/default.yml index 96950ead8f1..9d5fdca924d 100644 --- a/packages/cisco_duo/data_stream/telephony/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_duo/data_stream/telephony/elasticsearch/ingest_pipeline/default.yml @@ -1,9 +1,6 @@ --- description: Pipeline for parsing cisco_duo telephony logs processors: - - set: - field: event.ingested - value: "{{{_ingest.timestamp}}}" - set: field: ecs.version value: '8.0.0' diff --git a/packages/cisco_duo/kibana/dashboard/cisco_duo-bd7d4870-0fbe-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/kibana/dashboard/cisco_duo-bd7d4870-0fbe-11ec-8b4b-67126a72b1d4.json index 1c5d2f1d22e..5fd738bd93c 100644 --- a/packages/cisco_duo/kibana/dashboard/cisco_duo-bd7d4870-0fbe-11ec-8b4b-67126a72b1d4.json +++ b/packages/cisco_duo/kibana/dashboard/cisco_duo-bd7d4870-0fbe-11ec-8b4b-67126a72b1d4.json @@ -120,13 +120,13 @@ "key": "event.outcome", "negate": false, "params": { - "query": "failed" + "query": "failure" }, "type": "phrase" }, "query": { "match_phrase": { - "event.outcome": "failed" + "event.outcome": "failure" } } } diff --git a/packages/cisco_duo/kibana/visualization/cisco_duo-66ca2220-0fd0-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/kibana/visualization/cisco_duo-66ca2220-0fd0-11ec-8b4b-67126a72b1d4.json index 51d1e4b7850..4cff1215fd5 100644 --- a/packages/cisco_duo/kibana/visualization/cisco_duo-66ca2220-0fd0-11ec-8b4b-67126a72b1d4.json +++ b/packages/cisco_duo/kibana/visualization/cisco_duo-66ca2220-0fd0-11ec-8b4b-67126a72b1d4.json @@ -15,13 +15,13 @@ "key": "event.outcome", "negate": false, "params": { - "query": "failed" + "query": "failure" }, "type": "phrase" }, "query": { "match_phrase": { - "event.outcome": "failed" + "event.outcome": "failure" } } } diff --git a/packages/cisco_duo/kibana/visualization/cisco_duo-f14ab7b0-0fd1-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/kibana/visualization/cisco_duo-f14ab7b0-0fd1-11ec-8b4b-67126a72b1d4.json index ca101a07096..d07894f062a 100644 --- a/packages/cisco_duo/kibana/visualization/cisco_duo-f14ab7b0-0fd1-11ec-8b4b-67126a72b1d4.json +++ b/packages/cisco_duo/kibana/visualization/cisco_duo-f14ab7b0-0fd1-11ec-8b4b-67126a72b1d4.json @@ -15,13 +15,13 @@ "key": "event.outcome", "negate": false, "params": { - "query": "failed" + "query": "failure" }, "type": "phrase" }, "query": { "match_phrase": { - "event.outcome": "failed" + "event.outcome": "failure" } } } diff --git a/packages/cisco_duo/manifest.yml b/packages/cisco_duo/manifest.yml index b5569f05815..2287682fcfe 100644 --- a/packages/cisco_duo/manifest.yml +++ b/packages/cisco_duo/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_duo title: Cisco Duo -version: 1.1.1 +version: 1.1.2 license: basic description: Collect logs from Cisco Duo with Elastic Agent. type: integration diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml index c9fcfb345e4..542c1ac4911 100644 --- a/packages/cisco_ftd/changelog.yml +++ b/packages/cisco_ftd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.3" + changes: + - description: Make fields agree with ECS + type: bugfix + link: https://github.com/elastic/integrations/pull/3018 - version: "2.0.2" changes: - description: Update observer to ftd and idps to better match this integration. diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json index af0bbfa9f80..338cc406ace 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json @@ -1123,7 +1123,7 @@ "type": [ "connection", "start", - "failure" + "denied" ] }, "host": { @@ -1247,7 +1247,7 @@ "type": [ "connection", "end", - "failure" + "denied" ] }, "host": { diff --git a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 5ba833c8520..1a9ed3a9a89 100644 --- a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -1816,7 +1816,7 @@ processors: ctx.event.type.add('denied'); } if (ctx.event.outcome == 'block') { - ctx.event.type.add('failure'); + ctx.event.type.add('denied'); } } diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml index c31f9ab7191..a8de9f596b5 100644 --- a/packages/cisco_ftd/manifest.yml +++ b/packages/cisco_ftd/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_ftd title: Cisco FTD -version: 2.0.2 +version: 2.0.3 license: basic description: Collect logs from Cisco FTD with Elastic Agent. type: integration