diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml index 542c1ac4911..7cd6c0f0657 100644 --- a/packages/cisco_ftd/changelog.yml +++ b/packages/cisco_ftd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.4" + changes: + - description: Set event.kind to alert only when sha_disposition is malware or custom + type: bugfix + link: https://github.com/elastic/integrations/pull/3041 - version: "2.0.3" changes: - description: Make fields agree with ECS diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-common-config.yml +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json index bf66348ef8e..859680f9b38 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json @@ -214,10 +214,11 @@ "event": { "action": "malware-detected", "category": [ - "malware" + "malware", + "file" ], "code": "430005", - "kind": "alert", + "kind": "event", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: %ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311", "severity": 3, "type": [ diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log index fae3c9aebf8..e86bfb6bc1f 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log @@ -8,3 +8,4 @@ Aug 14 2019 15:09:43 siem-ftd %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100. 2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip 2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d 2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d +<113>2021-08-25T14:55:13Z %FTD-1-430005: DeviceUUID: c20ef000-c4f3-11e9-9b57-c6a90fda2892, InstanceID: 3, FirstPacketSecond: 2021-08-25T14:55:06Z, ConnectionID: 44560, SrcIP: 172.16.0.2, DstIP: 89.160.20.156, SrcPort: 65000, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2e05c13906b7435e80b6128c2bf86ba0644b0e6205efb96f3c14e52afd75f1c9, SHA_Disposition: Unknown, SperoDisposition: Spero detection not performed on file, ThreatName: Invalid ID, FileName: 34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab, FileType: MSCAB, FileSize: 7179, ApplicationProtocol: HTTP, Client: Windows Update, WebApplication: Microsoft Update, User: Not Found, FilePolicy: FILE POLICY, URI: http://download.windowsupdate.com/d/msdownload/update/others/2021/08/34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab, IngressVRF: Global, EgressVRF: Global diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json index 974659bddbf..bb09bfdd12a 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json @@ -799,10 +799,11 @@ "event": { "action": "malware-detected", "category": [ - "malware" + "malware", + "file" ], "code": "430005", - "kind": "alert", + "kind": "event", "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", "severity": 1, "start": "2019-08-16T09:39:02Z", @@ -913,10 +914,11 @@ "event": { "action": "malware-detected", "category": [ - "malware" + "malware", + "file" ], "code": "430005", - "kind": "alert", + "kind": "event", "original": "2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "severity": 1, "start": "2019-08-16T09:40:45Z", @@ -1108,6 +1110,139 @@ "id": "No Authentication Required", "name": "No Authentication Required" } + }, + { + "@timestamp": "2021-08-25T14:55:13.000Z", + "cisco": { + "ftd": { + "rule_name": "FILE POLICY", + "security": { + "application_protocol": "HTTP", + "client": "Windows Update", + "dst_ip": "89.160.20.156", + "dst_port": "80", + "file_action": "Malware Cloud Lookup", + "file_direction": "Download", + "file_name": "34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab", + "file_policy": "FILE POLICY", + "file_sha256": "2e05c13906b7435e80b6128c2bf86ba0644b0e6205efb96f3c14e52afd75f1c9", + "file_size": "7179", + "file_type": "MSCAB", + "first_packet_second": "2021-08-25T14:55:06Z", + "protocol": "tcp", + "sha_disposition": "Unknown", + "spero_disposition": "Spero detection not performed on file", + "src_ip": "172.16.0.2", + "src_port": "65000", + "threat_name": "Invalid ID", + "uri": "http://download.windowsupdate.com/d/msdownload/update/others/2021/08/34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab", + "user": "Not Found", + "web_application": "Microsoft Update" + }, + "threat_category": "Invalid ID" + } + }, + "destination": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "malware-detected", + "category": [ + "malware", + "file" + ], + "code": "430005", + "kind": "event", + "original": "\u003c113\u003e2021-08-25T14:55:13Z %FTD-1-430005: DeviceUUID: c20ef000-c4f3-11e9-9b57-c6a90fda2892, InstanceID: 3, FirstPacketSecond: 2021-08-25T14:55:06Z, ConnectionID: 44560, SrcIP: 172.16.0.2, DstIP: 89.160.20.156, SrcPort: 65000, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2e05c13906b7435e80b6128c2bf86ba0644b0e6205efb96f3c14e52afd75f1c9, SHA_Disposition: Unknown, SperoDisposition: Spero detection not performed on file, ThreatName: Invalid ID, FileName: 34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab, FileType: MSCAB, FileSize: 7179, ApplicationProtocol: HTTP, Client: Windows Update, WebApplication: Microsoft Update, User: Not Found, FilePolicy: FILE POLICY, URI: http://download.windowsupdate.com/d/msdownload/update/others/2021/08/34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab, IngressVRF: Global, EgressVRF: Global", + "severity": 1, + "start": "2021-08-25T14:55:06Z", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha256": "2e05c13906b7435e80b6128c2bf86ba0644b0e6205efb96f3c14e52afd75f1c9" + }, + "name": "34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab", + "size": 7179 + }, + "log": { + "level": "alert" + }, + "network": { + "application": [ + "windows update", + "microsoft update" + ], + "iana_number": "6", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hash": [ + "2e05c13906b7435e80b6128c2bf86ba0644b0e6205efb96f3c14e52afd75f1c9" + ], + "ip": [ + "172.16.0.2", + "89.160.20.156" + ], + "user": [ + "Not Found" + ] + }, + "source": { + "address": "172.16.0.2", + "ip": "172.16.0.2", + "port": 65000 + }, + "syslog": { + "facility": { + "code": 113 + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "download.windowsupdate.com", + "extension": "cab", + "original": "http://download.windowsupdate.com/d/msdownload/update/others/2021/08/34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab", + "path": "/d/msdownload/update/others/2021/08/34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab", + "scheme": "http" + }, + "user": { + "id": "Not Found", + "name": "Not Found" + } } ] } \ No newline at end of file diff --git a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 1a9ed3a9a89..86cd3e514a2 100644 --- a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -1763,7 +1763,7 @@ processors: type: - info malware-detected: - kind: alert + kind: event category: - malware type: @@ -1820,6 +1820,16 @@ processors: } } + # Malware event kind is classified as alert when sha_disposition is "Malware", "Custom Detection" not for other cases. + - set: + if: 'ctx?.event?.code == "430005" && ["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)' + field: event.kind + value: alert + - append: + if: 'ctx?.event?.code == "430005" && !["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)' + field: event.category + value: file + - set: description: copy destination.user.name to user.name if it is not set field: user.name diff --git a/packages/cisco_ftd/data_stream/log/sample_event.json b/packages/cisco_ftd/data_stream/log/sample_event.json index f54ade25aff..f2971534423 100644 --- a/packages/cisco_ftd/data_stream/log/sample_event.json +++ b/packages/cisco_ftd/data_stream/log/sample_event.json @@ -1,11 +1,12 @@ { "@timestamp": "2019-08-16T09:39:03.000Z", "agent": { - "ephemeral_id": "fb59da35-f6e4-4052-ae20-539243c9049e", - "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "ephemeral_id": "dc7057b3-a7ae-4c27-9c9c-8de003cda102", + "hostname": "docker-fleet-agent", + "id": "43265318-62cb-431d-b8c2-c36438978d88", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "7.17.0" }, "cisco": { "ftd": { @@ -63,20 +64,21 @@ "version": "8.0.0" }, "elastic_agent": { - "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "id": "43265318-62cb-431d-b8c2-c36438978d88", "snapshot": false, - "version": "8.0.0-beta1" + "version": "7.17.0" }, "event": { "action": "malware-detected", "agent_id_status": "verified", "category": [ - "malware" + "malware", + "file" ], "code": "430005", "dataset": "cisco_ftd.log", - "ingested": "2021-12-29T10:08:02Z", - "kind": "alert", + "ingested": "2022-04-11T08:03:35Z", + "kind": "event", "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip\n", "severity": 1, "start": "2019-08-16T09:39:02Z", @@ -101,7 +103,7 @@ "log": { "level": "alert", "source": { - "address": "192.168.128.6:54121" + "address": "172.21.0.4:50821" } }, "network": { diff --git a/packages/cisco_ftd/docs/README.md b/packages/cisco_ftd/docs/README.md index 8498022b55e..fc2df5e9034 100644 --- a/packages/cisco_ftd/docs/README.md +++ b/packages/cisco_ftd/docs/README.md @@ -17,11 +17,12 @@ An example event for `log` looks as following: { "@timestamp": "2019-08-16T09:39:03.000Z", "agent": { - "ephemeral_id": "fb59da35-f6e4-4052-ae20-539243c9049e", - "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "ephemeral_id": "dc7057b3-a7ae-4c27-9c9c-8de003cda102", + "hostname": "docker-fleet-agent", + "id": "43265318-62cb-431d-b8c2-c36438978d88", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "7.17.0" }, "cisco": { "ftd": { @@ -79,20 +80,21 @@ An example event for `log` looks as following: "version": "8.0.0" }, "elastic_agent": { - "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "id": "43265318-62cb-431d-b8c2-c36438978d88", "snapshot": false, - "version": "8.0.0-beta1" + "version": "7.17.0" }, "event": { "action": "malware-detected", "agent_id_status": "verified", "category": [ - "malware" + "malware", + "file" ], "code": "430005", "dataset": "cisco_ftd.log", - "ingested": "2021-12-29T10:08:02Z", - "kind": "alert", + "ingested": "2022-04-11T08:03:35Z", + "kind": "event", "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip\n", "severity": 1, "start": "2019-08-16T09:39:02Z", @@ -117,7 +119,7 @@ An example event for `log` looks as following: "log": { "level": "alert", "source": { - "address": "192.168.128.6:54121" + "address": "172.21.0.4:50821" } }, "network": { diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml index a8de9f596b5..3dc70b6c6be 100644 --- a/packages/cisco_ftd/manifest.yml +++ b/packages/cisco_ftd/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_ftd title: Cisco FTD -version: 2.0.3 +version: 2.0.4 license: basic description: Collect logs from Cisco FTD with Elastic Agent. type: integration