From ea01b6ff303b26c51bf2a31907cef0f8d7078025 Mon Sep 17 00:00:00 2001 From: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com> Date: Thu, 23 Jan 2025 14:59:10 -0600 Subject: [PATCH] [cisco_asa] Set event.outcome to failure for all denied events (#12429) - For all events that have a event.type of denied, event.outcome has been set to failure, to indicate a failure of a connection or access attempt. --- packages/cisco_asa/changelog.yml | 5 + ...106023-iface-with-prefix.log-expected.json | 18 +-- ...test-additional-messages.log-expected.json | 65 ++++---- .../pipeline/test-asa-fix.log-expected.json | 14 +- .../test-asa-missing-groups.log-expected.json | 2 - .../test/pipeline/test-asa.log-expected.json | 142 ++++++------------ .../pipeline/test-filtered.log-expected.json | 2 +- .../test-non-canonical.log-expected.json | 8 +- .../pipeline/test-not-ip.log-expected.json | 2 +- .../pipeline/test-sample.log-expected.json | 60 +++----- .../test-sgt-tag-name.log-expected.json | 15 +- .../elasticsearch/ingest_pipeline/default.yml | 76 +++++----- packages/cisco_asa/manifest.yml | 2 +- 13 files changed, 170 insertions(+), 241 deletions(-) diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml index f86d2b7137e..decd40709f1 100644 --- a/packages/cisco_asa/changelog.yml +++ b/packages/cisco_asa/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.40.0" + changes: + - description: "Set event.outcome to failure for all denied events." + type: bugfix + link: https://github.com/elastic/integrations/pull/12429 - version: "2.39.1" changes: - description: "Handle variations of device name in event 434004." diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-106023-iface-with-prefix.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-106023-iface-with-prefix.log-expected.json index e4f6a062614..885861d6259 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-106023-iface-with-prefix.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-106023-iface-with-prefix.log-expected.json @@ -24,7 +24,7 @@ "code": "106023", "kind": "event", "original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src v1:outside:10.8.1.9/54864 dst inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -100,7 +100,7 @@ "code": "106023", "kind": "event", "original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src outside:10.8.1.9/54864 dst v2:inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -176,7 +176,7 @@ "code": "106023", "kind": "event", "original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src v1:outside:10.8.1.9/54864 dst v2:inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -252,7 +252,7 @@ "code": "106023", "kind": "event", "original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src v1:outside:10.8.1.9 dst inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -326,7 +326,7 @@ "code": "106023", "kind": "event", "original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src outside:10.8.1.9 dst v2:inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -400,7 +400,7 @@ "code": "106023", "kind": "event", "original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src v1:outside:10.8.1.9 dst v2:inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -473,7 +473,7 @@ "code": "106023", "kind": "event", "original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src v1:outside:10.8.1.9/54864 dst inside:172.16.1.3 by access-group \"outside_acl\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -547,7 +547,7 @@ "code": "106023", "kind": "event", "original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src outside:10.8.1.9/54864 dst v2:inside:172.16.1.3 by access-group \"outside_acl\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -621,7 +621,7 @@ "code": "106023", "kind": "event", "original": "LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src v1:outside:10.8.1.9/54864 dst v2:inside:172.16.1.3 by access-group \"outside_acl\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json index 500a22c1a92..96df13da38f 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json @@ -832,7 +832,7 @@ "code": "313005", "kind": "event", "original": "May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src srcif:192.168.2.2 dst dstif:192.168.2.3 (type 3, code 3) on myif interface. Original IP payload: udp src 192.168.2.2/53 dst 192.168.2.3/10872.", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -914,7 +914,7 @@ "code": "313005", "kind": "event", "original": "May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src srcif:192.168.2.2(LOCAL\\testgroup\\testuser) dst dstif:192.168.2.3 (type 3, code 3) on myif interface. Original IP payload: udp src 192.168.2.2/53 dst 192.168.2.3/10872.", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -1007,7 +1007,7 @@ "code": "313005", "kind": "event", "original": "May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src srcif:192.168.2.2(LOCAL\\testuser) dst dstif:192.168.2.3 (type 3, code 3) on myif interface. Original IP payload: udp src 192.168.2.2/53 dst 192.168.2.3/10872.", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -1096,7 +1096,7 @@ "code": "313005", "kind": "event", "original": "<188>May 5 17:51:17: %ASA-4-313005: No matching connection for ICMP error message: icmp src srcif:192.168.2.2 dst dstif:192.168.2.3 (type 3, code 2) on srcif interface. Original IP payload: icmp src 192.168.2.2 dst 192.168.2.3 (type 0, code 0).", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -1179,7 +1179,7 @@ "code": "313005", "kind": "event", "original": "<188>May 5 17:51:17 dev01: %ASA-4-313005: No matching connection for ICMP error message: icmp src srcif:192.168.2.2 dst dstif:192.168.2.3 (type 3, code 2) on srcif interface. Original IP payload: protocol 51 src 192.168.2.2 dst 192.168.2.3.", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -1594,7 +1594,6 @@ "end": "2025-05-05T18:29:32.000Z", "kind": "event", "original": "May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2025-05-05T18:29:32.000Z", @@ -1843,7 +1842,7 @@ "code": "313004", "kind": "event", "original": "May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -1990,7 +1989,7 @@ "code": "106001", "kind": "event", "original": "May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ @@ -2325,7 +2324,7 @@ "code": "106023", "kind": "event", "original": "May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -2400,7 +2399,7 @@ "code": "106021", "kind": "event", "original": "May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -2469,7 +2468,7 @@ "code": "106006", "kind": "event", "original": "May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ @@ -2541,7 +2540,7 @@ "code": "106015", "kind": "event", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", - "outcome": "success", + "outcome": "failure", "severity": 6, "timezone": "UTC", "type": [ @@ -2612,7 +2611,7 @@ "code": "106015", "kind": "event", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", - "outcome": "success", + "outcome": "failure", "severity": 6, "timezone": "UTC", "type": [ @@ -2683,7 +2682,7 @@ "code": "106015", "kind": "event", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", - "outcome": "success", + "outcome": "failure", "severity": 6, "timezone": "UTC", "type": [ @@ -3651,7 +3650,7 @@ "code": "106014", "kind": "event", "original": "May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", - "outcome": "success", + "outcome": "failure", "severity": 3, "timezone": "UTC", "type": [ @@ -3779,7 +3778,7 @@ "code": "106010", "kind": "event", "original": "May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", - "outcome": "success", + "outcome": "failure", "severity": 3, "timezone": "UTC", "type": [ @@ -4182,7 +4181,6 @@ "end": "2025-04-27T04:12:23.000Z", "kind": "event", "original": "Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.144/54242 to server.deflan:81.2.69.144/9101 duration 1:00:02 bytes 245 Connection timeout", - "outcome": "success", "reason": "Connection timeout", "severity": 6, "start": "2025-04-27T03:12:21.000Z", @@ -4274,7 +4272,7 @@ "code": "106023", "kind": "event", "original": "Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -4930,7 +4928,6 @@ "end": "2025-04-27T02:03:03.000Z", "kind": "event", "original": "Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 81.2.69.144, Username = 81.2.69.144, IP = 81.2.69.144, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", - "outcome": "success", "reason": "User Requested", "severity": 4, "start": "2025-04-27T01:30:47.000Z", @@ -5060,7 +5057,6 @@ "code": "716002", "kind": "event", "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 81.2.69.144 WebVPN session terminated: User Requested.", - "outcome": "success", "reason": "User Requested", "severity": 6, "timezone": "UTC", @@ -5135,7 +5131,6 @@ "code": "716002", "kind": "event", "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout.", - "outcome": "success", "reason": "Idle timeout", "severity": 6, "timezone": "UTC", @@ -5201,7 +5196,7 @@ "code": "710003", "kind": "event", "original": "Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 81.2.69.144/6370 to outside:192.168.157.61/23", - "outcome": "success", + "outcome": "failure", "severity": 3, "timezone": "UTC", "type": [ @@ -5371,7 +5366,7 @@ "code": "434002", "kind": "event", "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/514514", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -6325,7 +6320,7 @@ "code": "106023", "kind": "event", "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:81.2.69.144 dst inside:172.31.98.44 by access-group \"inbound\"", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -6421,7 +6416,7 @@ "code": "106023", "kind": "event", "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 (type 128, code 0) by access-group \"OUTSIDE_in\"", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -8435,7 +8430,7 @@ "code": "106010", "kind": "event", "original": "<139>Oct 06 2023 11:12:20 myAsaHostname : %ASA-3-106010: Deny inbound protocol 103 src inside:172.31.98.44 dst inside:192.168.2.2", - "outcome": "success", + "outcome": "failure", "severity": 3, "timezone": "UTC", "type": [ @@ -8519,7 +8514,7 @@ "code": "106015", "kind": "event", "original": "<166>Oct 06 2023 09:46:34 myAsaHostname : %ASA-6-106015: Deny TCP (no connection) from myComputer1.myDomain.se/11946 to myComputer2.myDomain.se/389 flags FIN ACK on interface inside", - "outcome": "success", + "outcome": "failure", "severity": 6, "timezone": "UTC", "type": [ @@ -8598,7 +8593,7 @@ "code": "106023", "kind": "event", "original": "<140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-4-106023: Deny udp src outside:172.31.98.44/0 dst myInterfaceName:192.168.2.2/80 by access-group \"outside\" [0x24c36bb3, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -8676,7 +8671,7 @@ "code": "106012", "kind": "event", "original": "<140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-4-106012: Deny IP from 10.1.2.1 to 172.31.98.44, IP options: \"Router Alert\"", - "outcome": "success", + "outcome": "failure", "reason": "IP options: \"Router Alert\"", "severity": 4, "timezone": "UTC", @@ -9758,7 +9753,7 @@ "code": "725007", "kind": "event", "original": "<140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-725007: SSL session with client inside:172.16.0.1/1133 to 10.20.0.1/443 terminated.", - "outcome": "success", + "outcome": "failure", "severity": 6, "timezone": "UTC", "type": [ @@ -9833,7 +9828,7 @@ "code": "725007", "kind": "event", "original": "<166>2024-06-20T22:25:26Z: %ASA-6-725007: SSL session with client outside:172.16.0.1/49243 to 10.20.0.1/443 terminated", - "outcome": "success", + "outcome": "failure", "severity": 6, "timezone": "UTC", "type": [ @@ -10683,7 +10678,6 @@ "code": "716058", "kind": "event", "original": "<140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-716058: Group User IP <10.20.0.1> AnyConnect session lost connection. Waiting to resume.", - "outcome": "success", "severity": 6, "timezone": "UTC", "type": [ @@ -10754,7 +10748,6 @@ "code": "716058", "kind": "event", "original": "<140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-716058: Group GROUP_1 User USER_1 IP 10.20.0.1 AnyConnect session lost connection. Waiting to resume.", - "outcome": "success", "severity": 6, "timezone": "UTC", "type": [ @@ -10829,7 +10822,6 @@ "code": "716059", "kind": "event", "original": "<140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-716059: Group User IP <10.20.0.1> AnyConnect session resumed. Connection from <172.16.0.1>.", - "outcome": "success", "severity": 6, "timezone": "UTC", "type": [ @@ -10905,7 +10897,6 @@ "code": "716059", "kind": "event", "original": "<140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-716059: Group GROUP_1 User USER_1 IP 10.20.0.1 AnyConnect session resumed. Connection from 172.16.0.1.", - "outcome": "success", "severity": 6, "timezone": "UTC", "type": [ @@ -10981,7 +10972,6 @@ "code": "716059", "kind": "event", "original": "<140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-716059: Group User IP <10.20.0.1> AnyConnect session resumed connection from IP <172.16.0.1>.", - "outcome": "success", "severity": 6, "timezone": "UTC", "type": [ @@ -11051,7 +11041,6 @@ "code": "716059", "kind": "event", "original": "<166>2024-07-22T23:10:56Z: %ASA-6-716059: Group User IP <10.20.0.1> AnyConnect session resumed connection from IP <172.16.0.1>.", - "outcome": "success", "severity": 6, "timezone": "UTC", "type": [ @@ -11702,7 +11691,7 @@ "code": "313005", "kind": "event", "original": "Sep 25 01:08:29 host1.example.com : Sep 25 05:08:29 UTC: %ASA-ip-4-313005: No matching connection for ICMP error message: icmp src inside:10.11.15.31 dst GWAN:10.11.40.51 (type 3, code 2) on inside interface. Original IP payload: .", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json index f00dc0b700f..2535515bdd4 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -114,7 +114,7 @@ "code": "106023", "kind": "event", "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -190,7 +190,7 @@ "code": "106023", "kind": "event", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -261,7 +261,7 @@ "code": "106023", "kind": "event", "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -336,7 +336,7 @@ "code": "106017", "kind": "event", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ @@ -392,7 +392,7 @@ "code": "313008", "kind": "event", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", - "outcome": "success", + "outcome": "failure", "severity": 3, "timezone": "UTC", "type": [ @@ -466,7 +466,7 @@ "code": "313009", "kind": "event", "original": "Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -769,7 +769,7 @@ "code": "106103", "kind": "event", "original": "Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/81.2.69.144(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", - "outcome": "success", + "outcome": "failure", "severity": 1, "timezone": "UTC", "type": [ diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json index dcd771e78b4..939bc43490a 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json @@ -37,7 +37,6 @@ "end": "2020-06-08T12:59:57.000Z", "kind": "event", "original": "Jun 08 2020 12:59:57: %ASA-4-113019: Group = TheBeatles, Username = Ringo, IP = 67.43.156.12, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:01m:52s, Bytes xmt: 32452, Bytes rcv: 0, Reason: User Requested", - "outcome": "success", "reason": "User Requested", "severity": 4, "start": "2020-06-08T12:58:05.000Z", @@ -113,7 +112,6 @@ "end": "2019-10-20T15:42:53.000Z", "kind": "event", "original": "Oct 20 2019 15:42:53: %ASA-4-113019: Group = TheBeatles, Username = John, IP = 67.43.156.12, Session disconnected. Session Type: SSL, Duration: 2h:27m:34s, Bytes xmt: 45323434, Bytes rcv: 43252324, Reason: Idle Timeout", - "outcome": "success", "reason": "Idle Timeout", "severity": 4, "start": "2019-10-20T13:15:19.000Z", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json index 27086b42e0a..ea1eb6190da 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json @@ -195,7 +195,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:49.000Z", @@ -282,7 +281,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:49.000Z", @@ -369,7 +367,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:49.000Z", @@ -456,7 +453,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:49.000Z", @@ -543,7 +539,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:48.000Z", @@ -630,7 +625,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:48.000Z", @@ -717,7 +711,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:48.000Z", @@ -804,7 +797,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:47.000Z", @@ -891,7 +883,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:47.000Z", @@ -978,7 +969,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:47.000Z", @@ -1065,7 +1055,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:47.000Z", @@ -1152,7 +1141,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:47.000Z", @@ -1239,7 +1227,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:46.000Z", @@ -1326,7 +1313,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:49.000Z", @@ -1413,7 +1399,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:46.000Z", @@ -1500,7 +1485,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:33:45.000Z", @@ -1587,7 +1571,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", - "outcome": "success", "reason": "SYN Timeout", "severity": 6, "start": "2018-10-10T12:34:26.000Z", @@ -4060,7 +4043,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -5506,7 +5488,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -6771,7 +6752,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:29:31.000Z", @@ -6858,7 +6838,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -7111,7 +7090,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -7193,7 +7172,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -7275,7 +7254,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -7357,7 +7336,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -7439,7 +7418,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -7521,7 +7500,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -7603,7 +7582,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -7685,7 +7664,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -7767,7 +7746,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -7849,7 +7828,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -7931,7 +7910,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -8013,7 +7992,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -8095,7 +8074,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -9110,7 +9089,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -9365,7 +9343,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -9620,7 +9597,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -9707,7 +9683,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -9962,7 +9937,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -10721,7 +10695,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -10808,7 +10781,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -10895,7 +10867,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -11318,7 +11289,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -11573,7 +11543,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -11660,7 +11629,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -12429,7 +12397,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -12516,7 +12483,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -14651,7 +14617,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -15074,7 +15039,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -15161,7 +15125,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -15248,7 +15211,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -15844,7 +15806,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -16267,7 +16228,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -16354,7 +16314,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-10-10T12:34:56.000Z", @@ -19475,7 +19434,6 @@ "end": "2018-10-10T12:34:56.000Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", - "outcome": "success", "reason": "TCP Reset-I", "severity": 6, "start": "2018-10-10T12:34:52.000Z", @@ -19560,7 +19518,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -19642,7 +19600,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -19724,7 +19682,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -19974,7 +19932,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -20056,7 +20014,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -20138,7 +20096,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -20220,7 +20178,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -20302,7 +20260,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -20384,7 +20342,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -20466,7 +20424,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -20548,7 +20506,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -20630,7 +20588,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -20712,7 +20670,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -20794,7 +20752,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -20876,7 +20834,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -20958,7 +20916,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -21040,7 +20998,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -21122,7 +21080,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -21204,7 +21162,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -21286,7 +21244,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -21368,7 +21326,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -21450,7 +21408,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -21532,7 +21490,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -21614,7 +21572,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -21696,7 +21654,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -21778,7 +21736,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -21860,7 +21818,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -21942,7 +21900,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -22024,7 +21982,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -22106,7 +22064,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -22188,7 +22146,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -22270,7 +22228,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -22352,7 +22310,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -22434,7 +22392,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -22516,7 +22474,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -22598,7 +22556,7 @@ "code": "106023", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -22772,7 +22730,7 @@ "code": "106023", "kind": "event", "original": "<164>Jan 11 2023 13:34:06: %ASA-4-106023: Deny udp src MY_mgmt:192.168.124.24/123 dst MPLS_Internet:172.31.98.44/123 by access-group \"MY_mgmt_access_in\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json index 452fb53b95d..9830fe76921 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json @@ -100,7 +100,7 @@ "code": "106001", "kind": "event", "original": "Jan 1 01:02:12 beats asa[1234]: %ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log-expected.json index 54de1e5eaf6..1daac54e16c 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log-expected.json @@ -363,7 +363,7 @@ "code": "106015", "kind": "event", "original": "Jul 15 13:36:59 216.160.83.56 : %ASA-6-106015: Deny TCP (no connection) from 10.12.227.40/389 to exp-angle/54703 flags RST on interface SH_INFRA_MGT", - "outcome": "success", + "outcome": "failure", "severity": 6, "timezone": "UTC", "type": [ @@ -433,7 +433,7 @@ "code": "106015", "kind": "event", "original": "Jul 15 13:36:39 216.160.83.56 : %ASA-6-106015: Deny TCP (no connection) from 89.160.20.128/56594 to sh-mailgw1/25 flags FIN ACK on interface outside", - "outcome": "success", + "outcome": "failure", "severity": 6, "timezone": "UTC", "type": [ @@ -899,7 +899,7 @@ "code": "106023", "kind": "event", "original": "Jul 15 13:18:06 216.160.83.56 : %ASA-4-106023: Deny tcp src MG:exp_srv/64593 dst SH_OSS:89.160.20.128/2511 by access-group \"MGT_access_in\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -994,7 +994,7 @@ "code": "106023", "kind": "event", "original": "Jul 15 01:18:01 216.160.83.56 : %ASA-4-106023: Deny tcp src MG:exp_srv/63513 dst SH_OSS:89.160.20.128/2511 by access-group \"MGT_access_in\" [0x0, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json index 9901dda9d20..5fc0a97bcb1 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json @@ -189,7 +189,7 @@ "code": "338204", "kind": "event", "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json index 78162520969..7f72c2e2f1a 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json @@ -25,7 +25,7 @@ "code": "106023", "kind": "event", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -96,7 +96,7 @@ "code": "106023", "kind": "event", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -1310,7 +1310,7 @@ "code": "106007", "kind": "event", "original": "Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ @@ -2081,7 +2081,7 @@ "code": "106006", "kind": "event", "original": "Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ @@ -2141,7 +2141,7 @@ "code": "106007", "kind": "event", "original": "Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ @@ -2559,7 +2559,7 @@ "code": "106023", "kind": "event", "original": "Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -2630,7 +2630,7 @@ "code": "106023", "kind": "event", "original": "Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -2993,7 +2993,7 @@ "code": "106023", "kind": "event", "original": "Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -3067,7 +3067,7 @@ "code": "106023", "kind": "event", "original": "Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -3303,7 +3303,6 @@ "end": "2018-12-11T08:01:31.000Z", "kind": "event", "original": "Dec 11 2018 08:01:31 : %ASA-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-12-11T08:01:31.000Z", @@ -3382,7 +3381,6 @@ "end": "2018-12-11T08:01:38.000Z", "kind": "event", "original": "Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-12-11T08:00:30.000Z", @@ -3461,7 +3459,6 @@ "end": "2018-12-11T08:01:38.000Z", "kind": "event", "original": "Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-12-11T08:00:30.000Z", @@ -3536,7 +3533,7 @@ "code": "106015", "kind": "event", "original": "Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "outcome": "success", + "outcome": "failure", "severity": 6, "timezone": "UTC", "type": [ @@ -3603,7 +3600,7 @@ "code": "106015", "kind": "event", "original": "Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "outcome": "success", + "outcome": "failure", "severity": 6, "timezone": "UTC", "type": [ @@ -3672,7 +3669,7 @@ "code": "106023", "kind": "event", "original": "Dec 11 2018 08:01:39 : %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -3906,7 +3903,6 @@ "end": "2018-12-11T08:01:53.000Z", "kind": "event", "original": "Dec 11 2018 08:01:53 : %ASA-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2018-12-10T08:01:54.000Z", @@ -4055,7 +4051,7 @@ "code": "106016", "kind": "event", "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ @@ -4119,7 +4115,7 @@ "code": "106016", "kind": "event", "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ @@ -4183,7 +4179,7 @@ "code": "106016", "kind": "event", "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ @@ -4247,7 +4243,7 @@ "code": "106016", "kind": "event", "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ @@ -4311,7 +4307,7 @@ "code": "106016", "kind": "event", "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ @@ -4375,7 +4371,7 @@ "code": "106016", "kind": "event", "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ @@ -4439,7 +4435,7 @@ "code": "106016", "kind": "event", "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ @@ -4503,7 +4499,7 @@ "code": "106016", "kind": "event", "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "outcome": "success", + "outcome": "failure", "severity": 2, "timezone": "UTC", "type": [ @@ -4570,7 +4566,7 @@ "code": "106023", "kind": "event", "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -4643,7 +4639,7 @@ "code": "313001", "kind": "event", "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", - "outcome": "success", + "outcome": "failure", "severity": 3, "timezone": "UTC", "type": [ @@ -4711,7 +4707,7 @@ "code": "313004", "kind": "event", "original": "Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -4948,7 +4944,7 @@ "code": "338008", "kind": "event", "original": "Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -5124,7 +5120,7 @@ "code": "304002", "kind": "event", "original": "Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside", - "outcome": "success", + "outcome": "failure", "severity": 5, "timezone": "UTC", "type": [ @@ -6244,7 +6240,6 @@ "end": "2021-01-15T19:12:37.000Z", "kind": "event", "original": "Jan 15 2021 19:12:37: %ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:67.43.156.15/50120(LOCAL\\domain\\USER001) to OUTSIDE:1.128.3.4/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\\USER001)", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2021-01-15T19:10:32.000Z", @@ -6743,7 +6738,6 @@ "end": "2023-11-17T11:05:08.000Z", "kind": "event", "original": "Nov 17 2023 11:05:08: %ASA-6-302014: Teardown TCP connection 261246338 for outside:67.43.156.15/63790(LOCAL\\First Last) to inside:192.168.0.1/53 duration 0:35:58 bytes 27451 TCP FINs from outside (First Last)", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2023-11-17T10:29:10.000Z", @@ -6840,7 +6834,6 @@ "end": "2023-11-17T11:05:08.000Z", "kind": "event", "original": "Nov 17 2023 11:05:08: %ASA-6-302014: Teardown TCP connection 261246338 for outside:67.43.156.15/63790(LOCAL\\Speciäl Ö01) to inside:192.168.0.1/53 duration 0:35:58 bytes 27451 TCP FINs from outside (Speciäl Ö01)", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2023-11-17T10:29:10.000Z", @@ -6937,7 +6930,6 @@ "end": "2023-11-17T11:05:08.000Z", "kind": "event", "original": "Nov 17 2023 11:05:08: %ASA-6-302014: Teardown TCP connection 261246338 for outside:67.43.156.15/63790(LOCAL\\domain\\Speciäl Ö1) to inside:192.168.0.1/53 duration 0:35:58 bytes 27451 TCP FINs from outside (domain\\Speciäl Ö1)", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2023-11-17T10:29:10.000Z", @@ -7038,7 +7030,6 @@ "end": "2023-11-17T11:05:08.000Z", "kind": "event", "original": "Nov 17 2023 11:05:08: %ASA-6-302014: Teardown TCP connection 261246338 for outside:67.43.156.15/63790(LOCAL\\First Middle Last) to inside:192.168.0.1/53 duration 0:35:58 bytes 27451 TCP FINs from outside (First Middle Last)", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2023-11-17T10:29:10.000Z", @@ -7135,7 +7126,6 @@ "end": "2023-11-17T11:05:08.000Z", "kind": "event", "original": "Nov 17 2023 11:05:08: %ASA-6-302014: Teardown TCP connection 261246338 for outside:67.43.156.15/63790(LOCAL\\First-Middle Last) to inside:192.168.0.1/53 duration 0:35:58 bytes 27451 TCP FINs from outside (domain\\First-Middle Last)", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2023-11-17T10:29:10.000Z", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sgt-tag-name.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sgt-tag-name.log-expected.json index 682dad750f7..acbfb092589 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sgt-tag-name.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sgt-tag-name.log-expected.json @@ -27,7 +27,7 @@ "code": "106023", "kind": "event", "original": "<140>Oct 06 2023 09:22:19 myAsaHostname : %ASA-4-106023: Deny tcp src outside:192.168.2.2/51982(9999:my_SgtName) dst inside:192.168.2.3/443 by access-group \"outside_access_in\" [0x2a9e189a, 0x0]", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -213,7 +213,6 @@ "end": "2023-10-06T09:22:19.000Z", "kind": "event", "original": "<142>Oct 06 2023 09:22:19 myAsaHostname : %ASA-6-302014: Teardown TCP connection 990458751 for outside:192.168.2.2/55745(9999:my_SgtName) to inside:192.168.2.3/443 duration 0:01:29 bytes 17859 TCP Reset-O from outside", - "outcome": "success", "reason": "TCP Reset-O", "severity": 6, "start": "2023-10-06T09:20:50.000Z", @@ -646,7 +645,7 @@ "code": "313005", "kind": "event", "original": "<140>Oct 06 2023 10:11:00 myAsaHostname : %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:192.168.2.2(9999:my_SgtName) dst inside:192.168.2.3 (type 3, code 3) on outside interface. Original IP payload: udp src 192.168.2.3/53 dst 192.168.2.2/60919.", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -741,7 +740,7 @@ "code": "313005", "kind": "event", "original": "<140>Oct 06 2023 10:11:00 myAsaHostname : %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:192.168.2.2(9999:my_SgtNameSrc) dst inside:192.168.2.3(8888:my_SgtNameDst) (type 3, code 3) on outside interface. Original IP payload: udp src 192.168.2.3/53 dst 192.168.2.2/60919.", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -1080,7 +1079,6 @@ "end": "2023-10-06T10:17:54.000Z", "kind": "event", "original": "<142>Oct 06 2023 10:17:54 myAsaHostname : %ASA-6-302014: Teardown TCP connection 79710069 for outside:192.168.2.2/59774(LOCAL\\myUser1234, 9999:my_SgtName) to inside:192.168.2.3/443 duration 0:01:04 bytes 16874 TCP FINs from outside (myUser1234)", - "outcome": "success", "reason": "TCP FINs", "severity": 6, "start": "2023-10-06T10:16:50.000Z", @@ -1542,7 +1540,7 @@ "code": "313005", "kind": "event", "original": "<140>Oct 06 2023 10:33:23 myAsaHostname : %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:192.168.2.2(LOCAL\\myUser1234, 9999:my_SgtName) dst inside:192.168.2.3 (type 3, code 3) on outside interface. Original IP payload: udp src 192.168.2.3/53 dst 192.168.2.2/54860.", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -1746,7 +1744,6 @@ "end": "2023-10-25T14:22:19.000Z", "kind": "event", "original": "<142>Oct 25 2023 14:22:19 myAsaHostname : %ASA-6-302014: Teardown TCP connection 63490259 for outside:192.168.2.2/49786(LOCAL\\myUser1234$, 9999:my_SgtName) to inside:192.168.2.3/5985 duration 0:00:30 bytes 0 SYN Timeout (myUser1234$)", - "outcome": "success", "reason": "SYN Timeout", "severity": 6, "start": "2023-10-25T14:21:49.000Z", @@ -2230,7 +2227,7 @@ "code": "313005", "kind": "event", "original": "<140>Oct 25 2023 06:53:06 myAsaHostname : %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:192.168.2.2(LOCAL\\myUser1234$, 9999:my_SgtName) dst inside:192.168.2.3 (type 3, code 3) on outside interface. Original IP payload: udp src 192.168.2.3/53 dst 192.168.2.2/55735.", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ @@ -2394,7 +2391,7 @@ "code": "313005", "kind": "event", "original": "<164>Oct 25 2023 14:40:42 myAsaHostname : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:192.168.2.2 dst outside:myComputer1.myDomain.com (type 3, code 3) on inside interface. Original IP payload: udp src myComputer1.myDomain.com/53 dst 192.168.2.2/58164.", - "outcome": "success", + "outcome": "failure", "severity": 4, "timezone": "UTC", "type": [ diff --git a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 53ac75ec9b3..4277f80d51e 100644 --- a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -2346,75 +2346,75 @@ processors: params: "106001": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106002": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106006": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106007": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106010": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106012": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106013": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106014": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106015": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106016": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106017": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106018": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106020": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106021": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106022": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106023": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106027": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "106103": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "110002": type: [ connection, info ] @@ -2467,7 +2467,6 @@ processors: action: logon-failed "113019": type: [ connection, end ] - outcome: success action: client-vpn-disconnected "113021": category: [ authentication, network ] @@ -2537,7 +2536,6 @@ processors: action: flow-creation "302014": type: [ connection, end ] - outcome: success action: flow-expiration "302015": type: [ connection, start ] @@ -2585,15 +2583,12 @@ processors: action: flow-expiration "302036": type: [ connection, end ] - outcome: success action: flow-expiration "302304": type: [ connection, end ] - outcome: success action: flow-expiration "302306": type: [ connection, end ] - outcome: success action: flow-expiration "303002": category: [ network, file ] @@ -2606,7 +2601,7 @@ processors: action: url-access "304002": type: [ access, denied ] - outcome: success + outcome: failure action: url-access "305011": category: [ network, configuration ] @@ -2620,30 +2615,30 @@ processors: action: nat-slot "313001": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "313004": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "313005": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "313008": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "313009": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "315011": type: [ connection, end ] action: ssh-session-ended "322001": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "338001": type: [ connection, info ] @@ -2659,19 +2654,19 @@ processors: action: dynamic-filter "338005": type: [ connection, denied ] - outcome: success + outcome: failure action: dynamic-filter "338006": type: [ connection, denied ] - outcome: success + outcome: failure action: dynamic-filter "338007": type: [ connection, denied ] - outcome: success + outcome: failure action: dynamic-filter "338008": type: [ connection, denied ] - outcome: success + outcome: failure action: dynamic-filter "338101": type: [ connection, info ] @@ -2693,11 +2688,11 @@ processors: action: dynamic-filter "338203": type: [ connection, denied ] - outcome: success + outcome: failure action: dynamic-filter "338204": type: [ connection, denied ] - outcome: success + outcome: failure action: dynamic-filter "338301": type: [ connection, info ] @@ -2710,7 +2705,7 @@ processors: action: interface-switchover "434002": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "434004": type: [ info ] @@ -2770,7 +2765,7 @@ processors: action: logged-out "710003": type: [ connection, denied ] - outcome: success + outcome: failure action: firewall-rule "710005": type: [ connection, denied ] @@ -2809,7 +2804,6 @@ processors: type: [ info ] "716002": type: [ connection, end ] - outcome: success action: client-vpn-disconnected "716003": category: [ authentication, network ] @@ -2822,11 +2816,9 @@ processors: outcome: failure "716058": type: [ connection, end ] - outcome: success action: client-vpn-disconnected "716059": type: [ connection, start ] - outcome: success action: client-vpn-resumed "721016": type: [ connection, start ] @@ -2871,7 +2863,7 @@ processors: outcome: success "725007": type: [ connection, end ] - outcome: success + outcome: failure "725016": type: [ connection, info ] outcome: success diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml index 9980e2a7968..8b6f0f47683 100644 --- a/packages/cisco_asa/manifest.yml +++ b/packages/cisco_asa/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_asa title: Cisco ASA -version: "2.39.1" +version: "2.40.0" description: Collect logs from Cisco ASA with Elastic Agent. type: integration categories: