Skip to content

Commit

Permalink
Upgrade cisco modules to ecs 1.8 (elastic#23819)
Browse files Browse the repository at this point in the history
  • Loading branch information
marc-gr authored Feb 3, 2021
1 parent 1a741df commit d1f1983
Show file tree
Hide file tree
Showing 8 changed files with 55 additions and 18 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -835,6 +835,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Added `application/x-ndjson` as decode option for httpjson input {pull}23521[23521]
- Added `application/x-www-form-urlencoded` as encode option for httpjson input {pull}23521[23521]
- Added RFC6587 framing option for tcp and unix inputs {issue}23663[23663] {pull}23724[23724]
- Upgrade Cisco ASA/FTD/Umbrella to ECS 1.8.0. {pull}23819[23819]

*Heartbeat*

Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/cisco/asa/config/input.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0

{{ if .external_zones }}
- add_fields:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1743,6 +1743,9 @@
"related.hosts": [
"dev01"
],
"related.user": [
"aaaa"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
Expand Down Expand Up @@ -1779,6 +1782,9 @@
"related.hosts": [
"dev01"
],
"related.user": [
"aaaa"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
Expand Down Expand Up @@ -2115,7 +2121,6 @@
"dev01"
],
"related.ip": [
"10.10.10.10",
"10.10.10.10"
],
"service.type": "cisco",
Expand Down Expand Up @@ -2207,7 +2212,6 @@
"dev01"
],
"related.ip": [
"10.10.10.10",
"10.10.10.10"
],
"service.type": "cisco",
Expand Down Expand Up @@ -2302,7 +2306,6 @@
"dev01"
],
"related.ip": [
"10.20.30.40",
"10.20.30.40"
],
"service.type": "cisco",
Expand Down Expand Up @@ -2347,7 +2350,6 @@
"dev01"
],
"related.ip": [
"10.20.30.40",
"10.20.30.40"
],
"service.type": "cisco",
Expand Down Expand Up @@ -2392,7 +2394,6 @@
"dev01"
],
"related.ip": [
"10.20.30.40",
"10.20.30.40"
],
"service.type": "cisco",
Expand Down Expand Up @@ -2437,7 +2438,6 @@
"dev01"
],
"related.ip": [
"10.20.30.40",
"10.20.30.40"
],
"service.type": "cisco",
Expand Down Expand Up @@ -2710,6 +2710,9 @@
"related.ip": [
"10.10.0.87"
],
"related.user": [
"enable_15"
],
"service.type": "cisco",
"source.address": "10.10.0.87",
"source.ip": "10.10.0.87",
Expand Down Expand Up @@ -2749,6 +2752,9 @@
"related.hosts": [
"dev01"
],
"related.user": [
"enable_15"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
Expand Down Expand Up @@ -2794,6 +2800,9 @@
"10.10.1.212",
"10.10.1.254"
],
"related.user": [
"*****"
],
"service.type": "cisco",
"source.address": "10.10.1.212",
"source.ip": "10.10.1.212",
Expand Down Expand Up @@ -2837,6 +2846,9 @@
"related.ip": [
"10.10.0.87"
],
"related.user": [
"admin"
],
"service.type": "cisco",
"source.address": "10.10.0.87",
"source.ip": "10.10.0.87",
Expand Down Expand Up @@ -2884,6 +2896,9 @@
"10.10.0.87",
"10.10.1.254"
],
"related.user": [
"admin"
],
"service.type": "cisco",
"source.address": "10.10.0.87",
"source.ip": "10.10.0.87",
Expand Down Expand Up @@ -2927,6 +2942,9 @@
"related.ip": [
"10.10.0.87"
],
"related.user": [
"admin"
],
"service.type": "cisco",
"source.address": "10.10.0.87",
"source.ip": "10.10.0.87",
Expand Down Expand Up @@ -3031,6 +3049,9 @@
"related.ip": [
"91.240.17.178"
],
"related.user": [
"91.240.17.178"
],
"service.type": "cisco",
"source.bytes": 297103,
"source.user.name": "91.240.17.178",
Expand Down Expand Up @@ -3071,6 +3092,9 @@
"related.ip": [
"8.8.8.8"
],
"related.user": [
"testuser"
],
"service.type": "cisco",
"source.address": "8.8.8.8",
"source.as.number": 15169,
Expand Down Expand Up @@ -3119,6 +3143,9 @@
"related.ip": [
"8.8.8.8"
],
"related.user": [
"testuser"
],
"service.type": "cisco",
"source.address": "8.8.8.8",
"source.as.number": 15169,
Expand Down Expand Up @@ -3167,6 +3194,9 @@
"related.ip": [
"192.168.50.1"
],
"related.user": [
"alice"
],
"service.type": "cisco",
"source.address": "192.168.50.1",
"source.ip": "192.168.50.1",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,6 @@
"SNL-ASA-VPN-A01"
],
"related.ip": [
"10.123.123.123",
"10.123.123.123"
],
"service.type": "cisco",
Expand Down Expand Up @@ -143,7 +142,6 @@
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.ip": [
"10.123.123.123",
"10.123.123.123"
],
"service.type": "cisco",
Expand Down Expand Up @@ -197,7 +195,6 @@
"SNL-ASA-VPN-A01"
],
"related.ip": [
"10.123.123.123",
"10.123.123.123"
],
"service.type": "cisco",
Expand Down Expand Up @@ -242,7 +239,6 @@
"SNL-ASA-VPN-A01"
],
"related.ip": [
"10.123.123.123",
"10.123.123.123"
],
"service.type": "cisco",
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/cisco/ftd/config/input.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0

{{ if .external_zones }}
- add_fields:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,6 @@
"SNL-ASA-VPN-A01"
],
"related.ip": [
"10.123.123.123",
"10.123.123.123"
],
"service.type": "cisco",
Expand Down Expand Up @@ -146,7 +145,6 @@
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.ip": [
"10.123.123.123",
"10.123.123.123"
],
"service.type": "cisco",
Expand Down Expand Up @@ -201,7 +199,6 @@
"SNL-ASA-VPN-A01"
],
"related.ip": [
"10.123.123.123",
"10.123.123.123"
],
"service.type": "cisco",
Expand Down Expand Up @@ -247,7 +244,6 @@
"SNL-ASA-VPN-A01"
],
"related.ip": [
"10.123.123.123",
"10.123.123.123"
],
"service.type": "cisco",
Expand Down
16 changes: 15 additions & 1 deletion x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1613,14 +1613,27 @@ processors:
field: related.ip
value: "{{source.ip}}"
if: "ctx?.source?.ip != null"
allow_duplicates: false
- append:
field: related.ip
value: "{{destination.ip}}"
if: "ctx?.destination?.ip != null"
allow_duplicates: false
- append:
field: related.user
value: "{{user.name}}"
if: "ctx?.user?.name != null"
if: "ctx?.user?.name != null && ctx?.user?.name != ''"
allow_duplicates: false
- append:
field: related.user
value: "{{host.user.name}}"
if: ctx?.host?.user?.name != null && ctx?.host?.user?.name != ''
allow_duplicates: false
- append:
field: related.user
value: "{{source.user.name}}"
if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''
allow_duplicates: false
- append:
field: related.user
value: "{{destination.user.name}}"
Expand All @@ -1630,6 +1643,7 @@ processors:
field: related.hash
value: "{{file.hash.sha256}}"
if: "ctx?.file?.hash?.sha256 != null"
allow_duplicates: false
- append:
field: related.hosts
value: "{{host.hostname}}"
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/cisco/umbrella/config/input.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0

0 comments on commit d1f1983

Please sign in to comment.