elastic · r00tu53r · Apr 12, 2022 · Apr 11, 2022 · Apr 11, 2022 · Apr 11, 2022
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.0.4"
+  changes:
+    - description: Set event.kind to alert only when sha_disposition is malware or custom
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3041
 - version: "2.0.3"
   changes:
     - description: Make fields agree with ECS

@@ -1,5 +1,3 @@
-dynamic_fields:
-  event.ingested: ".*"
 fields:
   tags:
     - preserve_original_event
@@ -214,10 +214,11 @@
             "event": {
                 "action": "malware-detected",
                 "category": [
-                    "malware"
+                    "malware",
+                    "file"
                 ],
                 "code": "430005",
-                "kind": "alert",
+                "kind": "event",
                 "original": "Jan 11 2018 01:00:27 beats ftd[1234]: %ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311",
                 "severity": 3,
                 "type": [

@@ -8,3 +8,4 @@ Aug 14 2019 15:09:43 siem-ftd  %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.
 2019-08-16T09:39:03Z firepower  %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip
 2019-08-16T09:40:45Z firepower  %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d
 2019-08-16T09:42:07Z firepower  %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d
+<113>2021-08-25T14:55:13Z   %FTD-1-430005: DeviceUUID: c20ef000-c4f3-11e9-9b57-c6a90fda2892, InstanceID: 3, FirstPacketSecond: 2021-08-25T14:55:06Z, ConnectionID: 44560, SrcIP: 172.16.0.2, DstIP: 89.160.20.156, SrcPort: 65000, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2e05c13906b7435e80b6128c2bf86ba0644b0e6205efb96f3c14e52afd75f1c9, SHA_Disposition: Unknown, SperoDisposition: Spero detection not performed on file, ThreatName: Invalid ID, FileName: 34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab, FileType: MSCAB, FileSize: 7179, ApplicationProtocol: HTTP, Client: Windows Update, WebApplication: Microsoft Update, User: Not Found, FilePolicy: FILE POLICY, URI: http://download.windowsupdate.com/d/msdownload/update/others/2021/08/34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab, IngressVRF: Global, EgressVRF: Global
@@ -799,10 +799,11 @@
             "event": {
                 "action": "malware-detected",
                 "category": [
-                    "malware"
+                    "malware",
+                    "file"
                 ],
                 "code": "430005",
-                "kind": "alert",
+                "kind": "event",
                 "original": "2019-08-16T09:39:03Z firepower  %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip",
                 "severity": 1,
                 "start": "2019-08-16T09:39:02Z",
@@ -913,10 +914,11 @@
             "event": {
                 "action": "malware-detected",
                 "category": [
-                    "malware"
+                    "malware",
+                    "file"
                 ],
                 "code": "430005",
-                "kind": "alert",
+                "kind": "event",
                 "original": "2019-08-16T09:40:45Z firepower  %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d",
                 "severity": 1,
                 "start": "2019-08-16T09:40:45Z",
@@ -1108,6 +1110,139 @@
                 "id": "No Authentication Required",
                 "name": "No Authentication Required"
             }
+        },
+        {
+            "@timestamp": "2021-08-25T14:55:13.000Z",
+            "cisco": {
+                "ftd": {
+                    "rule_name": "FILE POLICY",
+                    "security": {
+                        "application_protocol": "HTTP",
+                        "client": "Windows Update",
+                        "dst_ip": "89.160.20.156",
+                        "dst_port": "80",
+                        "file_action": "Malware Cloud Lookup",
+                        "file_direction": "Download",
+                        "file_name": "34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab",
+                        "file_policy": "FILE POLICY",
+                        "file_sha256": "2e05c13906b7435e80b6128c2bf86ba0644b0e6205efb96f3c14e52afd75f1c9",
+                        "file_size": "7179",
+                        "file_type": "MSCAB",
+                        "first_packet_second": "2021-08-25T14:55:06Z",
+                        "protocol": "tcp",
+                        "sha_disposition": "Unknown",
+                        "spero_disposition": "Spero detection not performed on file",
+                        "src_ip": "172.16.0.2",
+                        "src_port": "65000",
+                        "threat_name": "Invalid ID",
+                        "uri": "http://download.windowsupdate.com/d/msdownload/update/others/2021/08/34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab",
+                        "user": "Not Found",
+                        "web_application": "Microsoft Update"
+                    },
+                    "threat_category": "Invalid ID"
+                }
+            },
+            "destination": {
+                "address": "89.160.20.156",
+                "as": {
+                    "number": 29518,
+                    "organization": {
+                        "name": "Bredband2 AB"
+                    }
+                },
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.156",
+                "port": 80
+            },
+            "ecs": {
+                "version": "8.0.0"
+            },
+            "event": {
+                "action": "malware-detected",
+                "category": [
+                    "malware",
+                    "file"
+                ],
+                "code": "430005",
+                "kind": "event",
+                "original": "\u003c113\u003e2021-08-25T14:55:13Z   %FTD-1-430005: DeviceUUID: c20ef000-c4f3-11e9-9b57-c6a90fda2892, InstanceID: 3, FirstPacketSecond: 2021-08-25T14:55:06Z, ConnectionID: 44560, SrcIP: 172.16.0.2, DstIP: 89.160.20.156, SrcPort: 65000, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2e05c13906b7435e80b6128c2bf86ba0644b0e6205efb96f3c14e52afd75f1c9, SHA_Disposition: Unknown, SperoDisposition: Spero detection not performed on file, ThreatName: Invalid ID, FileName: 34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab, FileType: MSCAB, FileSize: 7179, ApplicationProtocol: HTTP, Client: Windows Update, WebApplication: Microsoft Update, User: Not Found, FilePolicy: FILE POLICY, URI: http://download.windowsupdate.com/d/msdownload/update/others/2021/08/34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab, IngressVRF: Global, EgressVRF: Global",
+                "severity": 1,
+                "start": "2021-08-25T14:55:06Z",
+                "type": [
+                    "info"
+                ]
+            },
+            "file": {
+                "hash": {
+                    "sha256": "2e05c13906b7435e80b6128c2bf86ba0644b0e6205efb96f3c14e52afd75f1c9"
+                },
+                "name": "34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab",
+                "size": 7179
+            },
+            "log": {
+                "level": "alert"
+            },
+            "network": {
+                "application": [
+                    "windows update",
+                    "microsoft update"
+                ],
+                "iana_number": "6",
+                "protocol": "http",
+                "transport": "tcp"
+            },
+            "observer": {
+                "product": "ftd",
+                "type": "idps",
+                "vendor": "Cisco"
+            },
+            "related": {
+                "hash": [
+                    "2e05c13906b7435e80b6128c2bf86ba0644b0e6205efb96f3c14e52afd75f1c9"
+                ],
+                "ip": [
+                    "172.16.0.2",
+                    "89.160.20.156"
+                ],
+                "user": [
+                    "Not Found"
+                ]
+            },
+            "source": {
+                "address": "172.16.0.2",
+                "ip": "172.16.0.2",
+                "port": 65000
+            },
+            "syslog": {
+                "facility": {
+                    "code": 113
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "url": {
+                "domain": "download.windowsupdate.com",
+                "extension": "cab",
+                "original": "http://download.windowsupdate.com/d/msdownload/update/others/2021/08/34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab",
+                "path": "/d/msdownload/update/others/2021/08/34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab",
+                "scheme": "http"
+            },
+            "user": {
+                "id": "Not Found",
+                "name": "Not Found"
+            }
         }
     ]
 }
@@ -1763,7 +1763,7 @@ processors:
           type:
             - info
         malware-detected:
-          kind: alert
+          kind: event
           category:
             - malware
           type:
@@ -1820,6 +1820,16 @@ processors:
           }
         }
 
+  # Malware event kind is classified as alert when sha_disposition is "Malware", "Custom Detection" not for other cases.
+  - set:
+      if: 'ctx?.event?.code == "430005" && ["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)'
+      field: event.kind
+      value: alert
+  - append:
+      if: 'ctx?.event?.code == "430005" && !["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)'
+      field: event.category
+      value: file
+
   - set:
       description: copy destination.user.name to user.name if it is not set
       field: user.name

@@ -1,11 +1,12 @@
 {
     "@timestamp": "2019-08-16T09:39:03.000Z",
     "agent": {
-        "ephemeral_id": "fb59da35-f6e4-4052-ae20-539243c9049e",
-        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "ephemeral_id": "dc7057b3-a7ae-4c27-9c9c-8de003cda102",
+        "hostname": "docker-fleet-agent",
+        "id": "43265318-62cb-431d-b8c2-c36438978d88",
         "name": "docker-fleet-agent",
         "type": "filebeat",
-        "version": "8.0.0-beta1"
+        "version": "7.17.0"
     },
     "cisco": {
         "ftd": {
@@ -63,20 +64,21 @@
         "version": "8.0.0"
     },
     "elastic_agent": {
-        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "id": "43265318-62cb-431d-b8c2-c36438978d88",
         "snapshot": false,
-        "version": "8.0.0-beta1"
+        "version": "7.17.0"
     },
     "event": {
         "action": "malware-detected",
         "agent_id_status": "verified",
         "category": [
-            "malware"
+            "malware",
+            "file"
         ],
         "code": "430005",
         "dataset": "cisco_ftd.log",
-        "ingested": "2021-12-29T10:08:02Z",
-        "kind": "alert",
+        "ingested": "2022-04-11T08:03:35Z",
+        "kind": "event",
         "original": "2019-08-16T09:39:03Z firepower  %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip\n",
         "severity": 1,
         "start": "2019-08-16T09:39:02Z",
@@ -101,7 +103,7 @@
     "log": {
         "level": "alert",
         "source": {
-            "address": "192.168.128.6:54121"
+            "address": "172.21.0.4:50821"
         }
     },
     "network": {

@@ -17,11 +17,12 @@ An example event for `log` looks as following:
 {
     "@timestamp": "2019-08-16T09:39:03.000Z",
     "agent": {
-        "ephemeral_id": "fb59da35-f6e4-4052-ae20-539243c9049e",
-        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "ephemeral_id": "dc7057b3-a7ae-4c27-9c9c-8de003cda102",
+        "hostname": "docker-fleet-agent",
+        "id": "43265318-62cb-431d-b8c2-c36438978d88",
         "name": "docker-fleet-agent",
         "type": "filebeat",
-        "version": "8.0.0-beta1"
+        "version": "7.17.0"
     },
     "cisco": {
         "ftd": {
@@ -79,20 +80,21 @@ An example event for `log` looks as following:
         "version": "8.0.0"
     },
     "elastic_agent": {
-        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "id": "43265318-62cb-431d-b8c2-c36438978d88",
         "snapshot": false,
-        "version": "8.0.0-beta1"
+        "version": "7.17.0"
     },
     "event": {
         "action": "malware-detected",
         "agent_id_status": "verified",
         "category": [
-            "malware"
+            "malware",
+            "file"
         ],
         "code": "430005",
         "dataset": "cisco_ftd.log",
-        "ingested": "2021-12-29T10:08:02Z",
-        "kind": "alert",
+        "ingested": "2022-04-11T08:03:35Z",
+        "kind": "event",
         "original": "2019-08-16T09:39:03Z firepower  %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip\n",
         "severity": 1,
         "start": "2019-08-16T09:39:02Z",
@@ -117,7 +119,7 @@ An example event for `log` looks as following:
     "log": {
         "level": "alert",
         "source": {
-            "address": "192.168.128.6:54121"
+            "address": "172.21.0.4:50821"
         }
     },
     "network": {

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: cisco_ftd
 title: Cisco FTD
-version: 2.0.3
+version: 2.0.4
 license: basic
 description: Collect logs from Cisco FTD with Elastic Agent.
 type: integration