Skip to content

Commit

Permalink
[cisco_asa] Set event.outcome to failure for all denied events (elast…
Browse files Browse the repository at this point in the history 
…ic#12429)

- For all events that have a event.type of denied, event.outcome has
been set to failure, to indicate a failure of a connection or access
attempt.
  • Loading branch information
@taylor-swanson
taylor-swanson authored Jan 23, 2025
1 parent 8d16e21 commit ea01b6f
Show file tree
Hide file tree
Showing 13 changed files with 170 additions and 241 deletions.
5 changes: 5 additions & 0 deletions packages/cisco_asa/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.40.0"
changes:
- description: "Set event.outcome to failure for all denied events."
type: bugfix
link: https://github.com/elastic/integrations/pull/12429
- version: "2.39.1"
changes:
- description: "Handle variations of device name in event 434004."
Expand Down
18 changes: 9 additions & 9 deletions ...co_asa/data_stream/log/_dev/test/pipeline/test-106023-iface-with-prefix.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
"code": "106023",
"kind": "event",
"original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src v1:outside:10.8.1.9/54864 dst inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]",
"outcome": "success",
"outcome": "failure",
"severity": 4,
"timezone": "UTC",
"type": [
Expand Down Expand Up @@ -100,7 +100,7 @@
"code": "106023",
"kind": "event",
"original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src outside:10.8.1.9/54864 dst v2:inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]",
"outcome": "success",
"outcome": "failure",
"severity": 4,
"timezone": "UTC",
"type": [
Expand Down Expand Up @@ -176,7 +176,7 @@
"code": "106023",
"kind": "event",
"original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src v1:outside:10.8.1.9/54864 dst v2:inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]",
"outcome": "success",
"outcome": "failure",
"severity": 4,
"timezone": "UTC",
"type": [
Expand Down Expand Up @@ -252,7 +252,7 @@
"code": "106023",
"kind": "event",
"original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src v1:outside:10.8.1.9 dst inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]",
"outcome": "success",
"outcome": "failure",
"severity": 4,
"timezone": "UTC",
"type": [
Expand Down Expand Up @@ -326,7 +326,7 @@
"code": "106023",
"kind": "event",
"original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src outside:10.8.1.9 dst v2:inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]",
"outcome": "success",
"outcome": "failure",
"severity": 4,
"timezone": "UTC",
"type": [
Expand Down Expand Up @@ -400,7 +400,7 @@
"code": "106023",
"kind": "event",
"original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src v1:outside:10.8.1.9 dst v2:inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]",
"outcome": "success",
"outcome": "failure",
"severity": 4,
"timezone": "UTC",
"type": [
Expand Down Expand Up @@ -473,7 +473,7 @@
"code": "106023",
"kind": "event",
"original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src v1:outside:10.8.1.9/54864 dst inside:172.16.1.3 by access-group \"outside_acl\" [0x0, 0x0]",
"outcome": "success",
"outcome": "failure",
"severity": 4,
"timezone": "UTC",
"type": [
Expand Down Expand Up @@ -547,7 +547,7 @@
"code": "106023",
"kind": "event",
"original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src outside:10.8.1.9/54864 dst v2:inside:172.16.1.3 by access-group \"outside_acl\" [0x0, 0x0]",
"outcome": "success",
"outcome": "failure",
"severity": 4,
"timezone": "UTC",
"type": [
Expand Down Expand Up @@ -621,7 +621,7 @@
"code": "106023",
"kind": "event",
"original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src v1:outside:10.8.1.9/54864 dst v2:inside:172.16.1.3 by access-group \"outside_acl\" [0x0, 0x0]",
"outcome": "success",
"outcome": "failure",
"severity": 4,
"timezone": "UTC",
"type": [
Expand Down
65 changes: 27 additions & 38 deletions ...s/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json
View file

Large diffs are not rendered by default.

14 changes: 7 additions & 7 deletions packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@
"code": "106023",
"kind": "event",
"original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]",
"outcome": "success",
"outcome": "failure",
"severity": 4,
"timezone": "UTC",
"type": [
Expand Down Expand Up @@ -190,7 +190,7 @@
"code": "106023",
"kind": "event",
"original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]",
"outcome": "success",
"outcome": "failure",
"severity": 4,
"timezone": "UTC",
"type": [
Expand Down Expand Up @@ -261,7 +261,7 @@
"code": "106023",
"kind": "event",
"original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]",
"outcome": "success",
"outcome": "failure",
"severity": 4,
"timezone": "UTC",
"type": [
Expand Down Expand Up @@ -336,7 +336,7 @@
"code": "106017",
"kind": "event",
"original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123",
"outcome": "success",
"outcome": "failure",
"severity": 2,
"timezone": "UTC",
"type": [
Expand Down Expand Up @@ -392,7 +392,7 @@
"code": "313008",
"kind": "event",
"original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1",
"outcome": "success",
"outcome": "failure",
"severity": 3,
"timezone": "UTC",
"type": [
Expand Down Expand Up @@ -466,7 +466,7 @@
"code": "313009",
"kind": "event",
"original": "Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8",
"outcome": "success",
"outcome": "failure",
"severity": 4,
"timezone": "UTC",
"type": [
Expand Down Expand Up @@ -769,7 +769,7 @@
"code": "106103",
"kind": "event",
"original": "Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/81.2.69.144(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]",
"outcome": "success",
"outcome": "failure",
"severity": 1,
"timezone": "UTC",
"type": [
Expand Down
2 changes: 0 additions & 2 deletions ...es/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@
"end": "2020-06-08T12:59:57.000Z",
"kind": "event",
"original": "Jun 08 2020 12:59:57: %ASA-4-113019: Group = TheBeatles, Username = Ringo, IP = 67.43.156.12, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:01m:52s, Bytes xmt: 32452, Bytes rcv: 0, Reason: User Requested",
"outcome": "success",
"reason": "User Requested",
"severity": 4,
"start": "2020-06-08T12:58:05.000Z",
Expand Down Expand Up @@ -113,7 +112,6 @@
"end": "2019-10-20T15:42:53.000Z",
"kind": "event",
"original": "Oct 20 2019 15:42:53: %ASA-4-113019: Group = TheBeatles, Username = John, IP = 67.43.156.12, Session disconnected. Session Type: SSL, Duration: 2h:27m:34s, Bytes xmt: 45323434, Bytes rcv: 43252324, Reason: Idle Timeout",
"outcome": "success",
"reason": "Idle Timeout",
"severity": 4,
"start": "2019-10-20T13:15:19.000Z",
Expand Down
Loading

0 comments on commit ea01b6f

Please sign in to comment.