From 6780c63fbaed3f386affb8569a73e1b3422344d9 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Thu, 10 Jun 2021 08:15:13 +0200 Subject: [PATCH] [Cisco] updating cisco package to ECS 1.10.0 and adding event.original (#1035) * updating cisco package to ECS 1.10.0 and adding event.original * updating manifest and changelog * syncing module changes * fixing test log filenames and linting * fixing merge changes * linting and regenerating test data * fixing typo * fixing hbs typos * Linting processors * linting and updating version --- packages/cisco/changelog.yml | 5 + .../pipeline/test-additional-messages.log | 18 +- ...test-additional-messages.log-expected.json | 2039 ++++++++++---- .../pipeline/test-asa-fix.log-expected.json | 105 +- .../test/pipeline/test-asa.log-expected.json | 2350 ++++++++--------- .../test-dap-records.log-expected.json | 7 +- .../pipeline/test-filtered.log-expected.json | 31 +- .../pipeline/test-hostnames.log-expected.json | 22 +- .../pipeline/test-not-ip.log-expected.json | 39 +- .../asa/_dev/test/pipeline/test-sample.log | 3 +- .../pipeline/test-sample.log-expected.json | 803 +++--- .../asa/agent/stream/stream.yml.hbs | 16 +- .../data_stream/asa/agent/stream/udp.yml.hbs | 16 +- .../elasticsearch/ingest_pipeline/default.yml | 533 +++- packages/cisco/data_stream/asa/fields/ecs.yml | 98 +- .../cisco/data_stream/asa/fields/fields.yml | 68 +- packages/cisco/data_stream/asa/manifest.yml | 45 +- .../pipeline/test-asa-fix.log-expected.json | 47 +- .../test/pipeline/test-asa.log-expected.json | 2350 ++++++++--------- .../test/pipeline/test-dns.log-expected.json | 189 +- .../pipeline/test-filtered.log-expected.json | 20 +- ...est-firepower-management.log-expected.json | 1198 +++++---- .../pipeline/test-intrusion.log-expected.json | 28 +- .../test-no-type-id.log-expected.json | 36 +- .../pipeline/test-not-ip.log-expected.json | 39 +- .../pipeline/test-sample.log-expected.json | 708 +++-- ...test-security-connection.log-expected.json | 105 +- ...st-security-file-malware.log-expected.json | 151 +- ...st-security-malware-site.log-expected.json | 17 +- .../ftd/agent/stream/stream.yml.hbs | 16 +- .../data_stream/ftd/agent/stream/udp.yml.hbs | 16 +- .../elasticsearch/ingest_pipeline/default.yml | 534 +++- packages/cisco/data_stream/ftd/fields/ecs.yml | 101 +- .../cisco/data_stream/ftd/fields/fields.yml | 43 +- packages/cisco/data_stream/ftd/manifest.yml | 46 +- .../ios/_dev/test/pipeline/test-cisco-ios.log | 2 +- .../pipeline/test-cisco-ios.log-expected.json | 98 +- .../ios/agent/stream/stream.yml.hbs | 16 +- .../data_stream/ios/agent/stream/udp.yml.hbs | 15 +- .../elasticsearch/ingest_pipeline/default.yml | 64 +- packages/cisco/data_stream/ios/manifest.yml | 33 +- .../_dev/test/pipeline/test-generated.log | 100 + .../pipeline/test-generated.log-config.yml | 5 + .../pipeline/test-generated.log-expected.json | 1204 +++++++++ .../meraki/agent/stream/stream.yml.hbs | 13 +- .../meraki/agent/stream/tcp.yml.hbs | 11 +- .../meraki/agent/stream/udp.yml.hbs | 13 +- .../elasticsearch/ingest_pipeline/default.yml | 96 +- .../cisco/data_stream/meraki/manifest.yml | 74 +- .../nexus/agent/stream/stream.yml.hbs | 11 +- .../nexus/agent/stream/tcp.yml.hbs | 11 +- .../nexus/agent/stream/udp.yml.hbs | 11 +- .../elasticsearch/ingest_pipeline/default.yml | 96 +- packages/cisco/data_stream/nexus/manifest.yml | 75 +- packages/cisco/docs/README.md | 50 +- packages/cisco/manifest.yml | 2 +- 56 files changed, 8454 insertions(+), 5388 deletions(-) create mode 100644 packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log create mode 100644 packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-config.yml create mode 100644 packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json diff --git a/packages/cisco/changelog.yml b/packages/cisco/changelog.yml index 7a12bd81b54..32a25324aca 100644 --- a/packages/cisco/changelog.yml +++ b/packages/cisco/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.9.3" + changes: + - description: update to ECS 1.10.0 and prepare package for fleet GA + type: bugfix + link: https://github.com/elastic/integrations/pull/1035 - version: "0.9.2" changes: - description: make event.original optional diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log index f9ba86b8d0c..0c3aef67223 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log @@ -64,6 +64,22 @@ Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FC Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested -Apr 27 02:03:03 dev01: %ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 IPv4 Address 8.8.4.4 IPv6 address 2001:4860:4860::8888 assigned to session +Apr 27 02:03:03 dev01: %ASA-4-722051: Group User IP <192.168.50.3> IPv4 Address <192.168.50.5> IPv6 address <::> assigned to session Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested. +Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout. Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23 +Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally +Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514 +Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412 +Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number +Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created. +Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted. +Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request +Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database +Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88) +Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet. +Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json index 28e2b8d6c61..d9e62b3f996 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json @@ -46,7 +46,7 @@ }, "@timestamp": "2021-05-05T17:51:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -54,7 +54,9 @@ ], "ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.8", + "192.168.2.2", + "8.8.5.4" ] }, "host": { @@ -62,8 +64,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330703663Z", - "original": "%FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "ingested": "2021-06-09T10:11:10.715911Z", + "original": "May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -82,8 +84,7 @@ "mapped_source_ip": "8.8.8.8", "connection_id": "111111111", "source_interface": "net", - "mapped_destination_port": 53500, - "message_id": "302013" + "mapped_destination_port": 53500 } } }, @@ -133,7 +134,7 @@ }, "@timestamp": "2021-05-05T17:51:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -141,7 +142,9 @@ ], "ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.8", + "192.168.2.2", + "8.8.5.4" ] }, "host": { @@ -149,8 +152,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330721382Z", - "original": "%FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "ingested": "2021-06-09T10:11:10.715939500Z", + "original": "May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -169,8 +172,7 @@ "mapped_source_ip": "8.8.8.8", "connection_id": "111111111", "source_interface": "net", - "mapped_destination_port": 53500, - "message_id": "302015" + "mapped_destination_port": 53500 } } }, @@ -204,7 +206,7 @@ }, "@timestamp": "2021-05-05T17:51:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -212,6 +214,7 @@ ], "ip": [ "192.168.2.2", + "8.8.8.8", "10.10.10.10" ] }, @@ -220,8 +223,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330725364Z", - "original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "ingested": "2021-06-09T10:11:10.715948Z", + "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", "code": "302020", "kind": "event", "action": "flow-expiration", @@ -236,7 +239,8 @@ "cisco": { "asa": { "mapped_source_ip": "8.8.8.8", - "message_id": "302020" + "icmp_type": 3, + "icmp_code": 3 } } }, @@ -264,7 +268,7 @@ }, "@timestamp": "2021-05-05T17:51:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -280,8 +284,8 @@ "event": { "severity": 7, "duration": 0, - "ingested": "2021-06-03T06:53:03.330726882Z", - "original": "%FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", + "ingested": "2021-06-09T10:11:10.715980300Z", + "original": "May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", "code": "609002", "kind": "event", "start": "2021-05-05T17:51:17.000Z", @@ -297,8 +301,7 @@ }, "cisco": { "asa": { - "source_interface": "net", - "message_id": "609002" + "source_interface": "net" } } }, @@ -326,7 +329,7 @@ }, "@timestamp": "2021-05-05T17:51:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -341,8 +344,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:03.330728342Z", - "original": "%FTD-7-609001: Built local-host net:192.168.2.2", + "ingested": "2021-06-09T10:11:10.715988300Z", + "original": "May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2", "code": "609001", "kind": "event", "action": "flow-expiration", @@ -356,8 +359,7 @@ }, "cisco": { "asa": { - "source_interface": "net", - "message_id": "609001" + "source_interface": "net" } } }, @@ -391,7 +393,7 @@ }, "@timestamp": "2021-05-05T17:51:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -399,6 +401,7 @@ ], "ip": [ "192.168.2.2", + "8.8.8.8", "10.10.10.10" ] }, @@ -407,8 +410,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330729732Z", - "original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1", + "ingested": "2021-06-09T10:11:10.715994700Z", + "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1", "code": "302020", "kind": "event", "action": "flow-expiration", @@ -423,7 +426,8 @@ "cisco": { "asa": { "mapped_source_ip": "8.8.8.8", - "message_id": "302020" + "icmp_type": 3, + "icmp_code": 1 } } }, @@ -471,7 +475,7 @@ }, "@timestamp": "2021-05-05T17:51:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -479,7 +483,9 @@ ], "ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.8", + "192.168.2.2", + "8.8.5.4" ] }, "host": { @@ -487,8 +493,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330731146Z", - "original": "%FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111)", + "ingested": "2021-06-09T10:11:10.716002Z", + "original": "May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111)", "code": "805001", "kind": "event", "action": "firewall-rule", @@ -507,8 +513,7 @@ "mapped_source_ip": "8.8.8.8", "connection_id": "111111111", "source_interface": "fw111", - "mapped_destination_port": 111, - "message_id": "805001" + "mapped_destination_port": 111 } } }, @@ -551,7 +556,7 @@ }, "@timestamp": "2021-05-05T17:51:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -567,8 +572,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330732530Z", - "original": "%FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)", + "ingested": "2021-06-09T10:11:10.716008200Z", + "original": "May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)", "code": "805002", "kind": "event", "action": "firewall-rule", @@ -587,8 +592,7 @@ "mapped_source_ip": "10.192.18.4", "connection_id": "941243214", "source_interface": "net", - "mapped_destination_port": 443, - "message_id": "805002" + "mapped_destination_port": 443 } } }, @@ -626,7 +630,7 @@ }, "@timestamp": "2021-05-05T17:51:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -642,8 +646,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:03.330733970Z", - "original": "%FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", + "ingested": "2021-06-09T10:11:10.716014400Z", + "original": "May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", "code": "710005", "kind": "event", "action": "firewall-rule", @@ -651,13 +655,14 @@ "network" ], "type": [ - "info" - ] + "info", + "denied" + ], + "outcome": "failure" }, "cisco": { "asa": { - "destination_interface": "fw111", - "message_id": "710005" + "destination_interface": "fw111" } } }, @@ -702,7 +707,7 @@ "path": "/export/home/sysm/ftproot/sdsdsds/tmp.log" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -723,8 +728,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330735370Z", - "original": "%FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log", + "ingested": "2021-06-09T10:11:10.716020100Z", + "original": "May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log", "code": "303002", "kind": "event", "action": "firewall-rule", @@ -738,8 +743,7 @@ "cisco": { "asa": { "destination_interface": "fw111", - "source_interface": "net", - "message_id": "303002" + "source_interface": "net" } } }, @@ -752,7 +756,7 @@ }, "@timestamp": "2021-05-05T17:51:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -767,8 +771,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:03.330736820Z", - "original": "%FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4", + "ingested": "2021-06-09T10:11:10.716027200Z", + "original": "May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4", "code": "710006", "kind": "event", "action": "firewall-rule", @@ -780,9 +784,7 @@ ] }, "cisco": { - "asa": { - "message_id": "710006" - } + "asa": {} }, "tags": [ "preserve_original_event" @@ -812,7 +814,7 @@ }, "@timestamp": "2021-05-05T17:51:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -824,8 +826,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:03.330738380Z", - "original": "%FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872.", + "ingested": "2021-06-09T10:11:10.716033200Z", + "original": "May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872.", "code": "313005", "kind": "event", "action": "firewall-rule", @@ -838,8 +840,7 @@ }, "cisco": { "asa": { - "source_interface": "fw111", - "message_id": "313005" + "source_interface": "fw111" } } }, @@ -873,7 +874,7 @@ }, "@timestamp": "2021-05-05T18:16:21.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -881,6 +882,7 @@ ], "ip": [ "10.10.10.10", + "8.8.8.8", "192.168.2.2" ] }, @@ -889,8 +891,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330739817Z", - "original": "%ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0", + "ingested": "2021-06-09T10:11:10.716039200Z", + "original": "May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0", "code": "302021", "kind": "event", "action": "flow-expiration", @@ -905,8 +907,8 @@ "cisco": { "asa": { "mapped_source_ip": "8.8.8.8", - "source_username": "type", - "message_id": "302021" + "icmp_type": 8, + "icmp_code": 0 } } }, @@ -934,7 +936,7 @@ }, "@timestamp": "2021-05-05T18:22:35.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -949,8 +951,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:03.330741211Z", - "original": "%ASA-7-609001: Built local-host net:10.10.10.10", + "ingested": "2021-06-09T10:11:10.716044900Z", + "original": "May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10", "code": "609001", "kind": "event", "action": "flow-expiration", @@ -964,8 +966,7 @@ }, "cisco": { "asa": { - "source_interface": "net", - "message_id": "609001" + "source_interface": "net" } } }, @@ -993,7 +994,7 @@ }, "@timestamp": "2021-05-05T18:24:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1009,8 +1010,8 @@ "event": { "severity": 7, "duration": 0, - "ingested": "2021-06-03T06:53:03.330743276Z", - "original": "%ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", + "ingested": "2021-06-09T10:11:10.716050700Z", + "original": "May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", "code": "609002", "kind": "event", "start": "2021-05-05T18:24:31.000Z", @@ -1026,8 +1027,7 @@ }, "cisco": { "asa": { - "source_interface": "identity", - "message_id": "609002" + "source_interface": "identity" } } }, @@ -1061,7 +1061,7 @@ }, "@timestamp": "2021-05-05T18:29:32.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1069,6 +1069,7 @@ ], "ip": [ "10.192.46.90", + "8.8.8.8", "10.10.10.10" ] }, @@ -1077,8 +1078,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330744797Z", - "original": "%ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0", + "ingested": "2021-06-09T10:11:10.716056400Z", + "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0", "code": "302020", "kind": "event", "action": "flow-expiration", @@ -1092,8 +1093,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "8.8.8.8", - "message_id": "302020" + "mapped_source_ip": "8.8.8.8" } } }, @@ -1127,7 +1127,7 @@ }, "@timestamp": "2021-05-05T18:29:32.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1135,6 +1135,7 @@ ], "ip": [ "192.168.2.2", + "8.8.8.8", "10.10.10.10" ] }, @@ -1143,8 +1144,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330746377Z", - "original": "%ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "ingested": "2021-06-09T10:11:10.716063400Z", + "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", "code": "302020", "kind": "event", "action": "flow-expiration", @@ -1159,7 +1160,8 @@ "cisco": { "asa": { "mapped_source_ip": "8.8.8.8", - "message_id": "302020" + "icmp_type": 3, + "icmp_code": 3 } } }, @@ -1203,7 +1205,7 @@ }, "@timestamp": "2021-05-05T18:29:32.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1220,8 +1222,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:03.330747770Z", - "original": "%ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:10.716074900Z", + "original": "May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", "code": "302014", "kind": "event", "start": "2021-05-05T18:29:32.000Z", @@ -1238,7 +1241,6 @@ "cisco": { "asa": { "destination_interface": "fw111", - "message_id": "302014", "connection_id": "2960892904", "source_interface": "out111" } @@ -1290,7 +1292,7 @@ }, "@timestamp": "2021-05-05T18:29:32.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1298,6 +1300,7 @@ ], "ip": [ "192.168.2.2", + "8.8.8.8", "10.10.10.10" ] }, @@ -1306,8 +1309,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330749192Z", - "original": "%ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839)", + "ingested": "2021-06-09T10:11:10.716080600Z", + "original": "May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -1326,8 +1329,7 @@ "mapped_source_ip": "8.8.8.8", "connection_id": "1588662", "source_interface": "intfacename", - "mapped_destination_port": 54839, - "message_id": "302013" + "mapped_destination_port": 54839 } } }, @@ -1370,7 +1372,7 @@ }, "@timestamp": "2021-05-05T18:29:32.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1387,8 +1389,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:03.330750558Z", - "original": "%ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", + "ingested": "2021-06-09T10:11:10.716086400Z", + "original": "May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", "code": "302012", "kind": "event", "start": "2021-05-05T18:29:32.000Z", @@ -1405,8 +1407,7 @@ "cisco": { "asa": { "destination_interface": "out111", - "source_interface": "fw111", - "message_id": "302012" + "source_interface": "fw111" } } }, @@ -1442,7 +1443,7 @@ }, "@timestamp": "2021-05-05T18:40:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1458,8 +1459,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:03.330751982Z", - "original": "%ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", + "ingested": "2021-06-09T10:11:10.716092Z", + "original": "May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", "code": "313004", "kind": "event", "action": "firewall-rule", @@ -1470,13 +1471,12 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "icmp_type": 0, - "source_interface": "fw502", - "message_id": "313004" + "source_interface": "fw502" } } }, @@ -1519,7 +1519,7 @@ }, "@timestamp": "2021-05-05T18:40:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1535,8 +1535,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330753395Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006", + "ingested": "2021-06-09T10:11:10.716097600Z", + "original": "May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -1550,8 +1550,7 @@ "cisco": { "asa": { "destination_interface": "out111", - "source_interface": "fw111", - "message_id": "305011" + "source_interface": "fw111" } } }, @@ -1590,7 +1589,7 @@ }, "@timestamp": "2021-05-05T18:40:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1606,8 +1605,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:03.330754811Z", - "original": "%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", + "ingested": "2021-06-09T10:11:10.716107400Z", + "original": "May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", "code": "106001", "kind": "event", "action": "firewall-rule", @@ -1618,12 +1617,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "out111", - "message_id": "106001" + "source_interface": "out111" } } }, @@ -1685,7 +1683,7 @@ }, "@timestamp": "2021-05-05T18:40:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1702,8 +1700,8 @@ "event": { "severity": 2, "duration": 124000000000, - "ingested": "2021-06-03T06:53:03.330756314Z", - "original": "%ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585", + "ingested": "2021-06-09T10:11:10.716113Z", + "original": "May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585", "code": "302016", "kind": "event", "start": "2021-05-05T18:38:46.000Z", @@ -1720,7 +1718,6 @@ "cisco": { "asa": { "destination_interface": "net", - "message_id": "302016", "connection_id": "1671727", "source_interface": "intfacename" } @@ -1772,7 +1769,7 @@ }, "@timestamp": "2021-05-05T18:40:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1780,7 +1777,9 @@ ], "ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.4", + "192.168.2.2", + "8.8.8.8" ] }, "host": { @@ -1788,8 +1787,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:03.330757735Z", - "original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "ingested": "2021-06-09T10:11:10.716118900Z", + "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1808,8 +1807,7 @@ "mapped_source_ip": "8.8.8.4", "connection_id": "1743372", "source_interface": "intfacename", - "mapped_destination_port": 22638, - "message_id": "302015" + "mapped_destination_port": 22638 } } }, @@ -1859,7 +1857,7 @@ }, "@timestamp": "2021-05-05T18:40:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1867,7 +1865,9 @@ ], "ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.4", + "192.168.2.2", + "8.8.8.8" ] }, "host": { @@ -1875,8 +1875,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:03.330759105Z", - "original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "ingested": "2021-06-09T10:11:10.716124700Z", + "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1895,8 +1895,7 @@ "mapped_source_ip": "8.8.8.4", "connection_id": "1743372", "source_interface": "intfacename", - "mapped_destination_port": 22638, - "message_id": "302015" + "mapped_destination_port": 22638 } } }, @@ -1939,7 +1938,7 @@ }, "@timestamp": "2021-05-05T18:40:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1955,8 +1954,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:03.330760524Z", - "original": "%ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", + "ingested": "2021-06-09T10:11:10.716130200Z", + "original": "May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -1967,12 +1966,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "out111", - "message_id": "106023", "rule_name": "out1111_access_out", "source_interface": "fw111" } @@ -2010,7 +2008,7 @@ }, "@timestamp": "2021-05-05T18:40:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2026,8 +2024,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:03.330761916Z", - "original": "%ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", + "ingested": "2021-06-09T10:11:10.716136Z", + "original": "May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", "code": "106021", "kind": "event", "action": "firewall-rule", @@ -2038,12 +2036,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "fw111", - "message_id": "106021" + "source_interface": "fw111" } } }, @@ -2082,7 +2079,7 @@ }, "@timestamp": "2021-05-05T19:02:58.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2098,8 +2095,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:03.330763328Z", - "original": "%ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", + "ingested": "2021-06-09T10:11:10.716140900Z", + "original": "May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", "code": "106006", "kind": "event", "action": "firewall-rule", @@ -2110,12 +2107,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "fw111", - "message_id": "106006" + "source_interface": "fw111" } } }, @@ -2137,7 +2133,8 @@ "preserve_original_event" ], "network": { - "transport": "(no" + "iana_number": "6", + "transport": "tcp" }, "observer": { "hostname": "dev01", @@ -2152,7 +2149,7 @@ }, "@timestamp": "2021-05-05T19:02:58.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2168,8 +2165,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330764721Z", - "original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", + "ingested": "2021-06-09T10:11:10.716145600Z", + "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -2177,14 +2174,14 @@ "network" ], "type": [ - "info" + "info", + "denied" ], - "outcome": "tcp" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "out111", - "message_id": "106015" + "source_interface": "out111" } } }, @@ -2206,7 +2203,8 @@ "preserve_original_event" ], "network": { - "transport": "(no" + "iana_number": "6", + "transport": "tcp" }, "observer": { "hostname": "dev01", @@ -2221,7 +2219,7 @@ }, "@timestamp": "2021-05-05T19:02:58.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2237,8 +2235,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330766135Z", - "original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", + "ingested": "2021-06-09T10:11:10.716150400Z", + "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -2246,14 +2244,14 @@ "network" ], "type": [ - "info" + "info", + "denied" ], - "outcome": "tcp" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "out111", - "message_id": "106015" + "source_interface": "out111" } } }, @@ -2275,7 +2273,8 @@ "preserve_original_event" ], "network": { - "transport": "(no" + "iana_number": "6", + "transport": "tcp" }, "observer": { "hostname": "dev01", @@ -2290,7 +2289,7 @@ }, "@timestamp": "2021-05-05T19:02:58.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2306,8 +2305,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330767506Z", - "original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", + "ingested": "2021-06-09T10:11:10.716155200Z", + "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -2315,14 +2314,14 @@ "network" ], "type": [ - "info" + "info", + "denied" ], - "outcome": "tcp" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "fw111", - "message_id": "106015" + "source_interface": "fw111" } } }, @@ -2331,19 +2330,13 @@ "level": "informational" }, "destination": { - "nat": { - "ip": "8.8.8.8" - }, - "address": "192.168.2.2", "port": 10051, + "address": "192.168.2.2", "ip": "192.168.2.2" }, "source": { - "nat": { - "ip": "8.8.8.5" - }, - "address": "10.10.10.10", "port": 38540, + "address": "10.10.10.10", "ip": "10.10.10.10" }, "tags": [ @@ -2371,7 +2364,7 @@ }, "@timestamp": "2021-05-05T19:02:58.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2387,8 +2380,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330768948Z", - "original": "%ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", + "ingested": "2021-06-09T10:11:10.716159800Z", + "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", "code": "302022", "kind": "event", "action": "firewall-rule", @@ -2402,12 +2395,7 @@ "cisco": { "asa": { "destination_interface": "net", - "mapped_source_port": 38540, - "mapped_destination_ip": "8.8.8.8", - "mapped_source_ip": "8.8.8.5", - "source_interface": "fw1111", - "mapped_destination_port": 10051, - "message_id": "302022" + "source_interface": "fw1111" } } }, @@ -2416,19 +2404,13 @@ "level": "informational" }, "destination": { - "nat": { - "ip": "8.8.8.8" - }, - "address": "192.168.2.2", "port": 10051, + "address": "192.168.2.2", "ip": "192.168.2.2" }, "source": { - "nat": { - "ip": "8.8.8.5" - }, - "address": "10.10.10.10", "port": 38540, + "address": "10.10.10.10", "ip": "10.10.10.10" }, "tags": [ @@ -2456,7 +2438,7 @@ }, "@timestamp": "2021-05-05T19:02:58.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2472,8 +2454,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330770323Z", - "original": "%ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", + "ingested": "2021-06-09T10:11:10.716170800Z", + "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", "code": "302022", "kind": "event", "action": "firewall-rule", @@ -2487,12 +2469,7 @@ "cisco": { "asa": { "destination_interface": "net", - "mapped_source_port": 38540, - "mapped_destination_ip": "8.8.8.8", - "mapped_source_ip": "8.8.8.5", - "source_interface": "fw111", - "mapped_destination_port": 10051, - "message_id": "302022" + "source_interface": "fw111" } } }, @@ -2501,19 +2478,13 @@ "level": "informational" }, "destination": { - "nat": { - "ip": "8.8.8.8" - }, - "address": "192.1682.2.2", "port": 10051, + "address": "192.1682.2.2", "domain": "192.1682.2.2" }, "source": { - "nat": { - "ip": "8.8.8.5" - }, - "address": "10.10.10.10", "port": 38540, + "address": "10.10.10.10", "ip": "10.10.10.10" }, "tags": [ @@ -2541,7 +2512,7 @@ }, "@timestamp": "2021-05-05T19:02:58.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2557,8 +2528,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330771850Z", - "original": "%ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051)", + "ingested": "2021-06-09T10:11:10.716176400Z", + "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051)", "code": "302022", "kind": "event", "action": "firewall-rule", @@ -2572,44 +2543,75 @@ "cisco": { "asa": { "destination_interface": "net", - "mapped_source_port": 38540, - "mapped_destination_ip": "8.8.8.8", - "mapped_source_ip": "8.8.8.5", - "source_interface": "fw111", - "mapped_destination_port": 10051, - "message_id": "302022" + "source_interface": "fw111" } } }, { + "log": { + "level": "informational" + }, + "destination": { + "port": 10051, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "port": 39210, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "bytes": 0, + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "net" + } + }, "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw111" + } + } }, "@timestamp": "2021-05-05T19:02:58.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" ] }, - "log": { - "level": "informational" - }, "host": { "hostname": "dev01" }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330773243Z", - "original": "%ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", + "duration": 0, + "reason": "Cluster flow with CLU closed on owner", + "ingested": "2021-06-09T10:11:10.716182200Z", + "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", "code": "302023", "kind": "event", + "start": "2021-05-05T19:02:58.000Z", "action": "firewall-rule", + "end": "2021-05-05T19:02:58.000Z", "category": [ "network" ], @@ -2619,42 +2621,76 @@ }, "cisco": { "asa": { - "message_id": "302023" + "destination_interface": "net", + "source_interface": "fw111" } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "port": 39222, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "port": 10051, + "address": "10.10.10.10", + "ip": "10.10.10.10" }, "tags": [ "preserve_original_event" - ] - }, - { + ], + "network": { + "bytes": 0, + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "unknown" + } + }, "hostname": "dev01", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "net" + } + } }, "@timestamp": "2021-05-05T19:02:58.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" ] }, - "log": { - "level": "informational" - }, "host": { "hostname": "dev01" }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330774697Z", - "original": "%ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", + "duration": 0, + "reason": "Forwarding or redirect flow removed to create director or backup flow", + "ingested": "2021-06-09T10:11:10.716187400Z", + "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", "code": "302023", "kind": "event", + "start": "2021-05-05T19:02:58.000Z", "action": "firewall-rule", + "end": "2021-05-05T19:02:58.000Z", "category": [ "network" ], @@ -2664,12 +2700,10 @@ }, "cisco": { "asa": { - "message_id": "302023" + "destination_interface": "unknown", + "source_interface": "net" } - }, - "tags": [ - "preserve_original_event" - ] + } }, { "observer": { @@ -2680,7 +2714,7 @@ }, "@timestamp": "2021-05-05T19:03:27.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2701,8 +2735,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:03.330776087Z", - "original": "%ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief", + "ingested": "2021-06-09T10:11:10.716192400Z", + "original": "May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief", "code": "111009", "kind": "event", "action": "firewall-rule", @@ -2715,7 +2749,6 @@ }, "cisco": { "asa": { - "message_id": "111009", "command_line_arguments": "show access-list fw211111_access_out brief" } }, @@ -2732,7 +2765,7 @@ }, "@timestamp": "2021-05-05T19:02:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2753,8 +2786,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:03.330777946Z", - "original": "%ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief", + "ingested": "2021-06-09T10:11:10.716197300Z", + "original": "May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief", "code": "111009", "kind": "event", "action": "firewall-rule", @@ -2767,7 +2800,6 @@ }, "cisco": { "asa": { - "message_id": "111009", "command_line_arguments": "show access-list aaa_out brief" } }, @@ -2814,7 +2846,7 @@ }, "@timestamp": "2021-05-05T19:02:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2830,8 +2862,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330779544Z", - "original": "%ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -\u003e fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", + "ingested": "2021-06-09T10:11:10.716202200Z", + "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -\u003e fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2842,12 +2874,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "fw111", - "message_id": "106100", "rule_name": "fw111_out", "source_interface": "ptaaac" } @@ -2892,7 +2923,7 @@ }, "@timestamp": "2021-05-05T19:02:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2908,8 +2939,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330780958Z", - "original": "%ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -\u003e fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", + "ingested": "2021-06-09T10:11:10.716207300Z", + "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -\u003e fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2920,12 +2951,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "fw111", - "message_id": "106100", "rule_name": "fw111_out", "source_interface": "net" } @@ -2940,7 +2970,7 @@ }, "@timestamp": "2021-05-05T19:02:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2955,8 +2985,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330782337Z", - "original": "%ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner", + "ingested": "2021-06-09T10:11:10.716212500Z", + "original": "May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner", "code": "302027", "kind": "event", "action": "firewall-rule", @@ -2968,9 +2998,7 @@ ] }, "cisco": { - "asa": { - "message_id": "302027" - } + "asa": {} }, "tags": [ "preserve_original_event" @@ -2985,7 +3013,7 @@ }, "@timestamp": "2021-05-05T19:02:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3000,8 +3028,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330783770Z", - "original": "%ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8)", + "ingested": "2021-06-09T10:11:10.716217700Z", + "original": "May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8)", "code": "302026", "kind": "event", "action": "firewall-rule", @@ -3013,9 +3041,7 @@ ] }, "cisco": { - "asa": { - "message_id": "302026" - } + "asa": {} }, "tags": [ "preserve_original_event" @@ -3055,7 +3081,7 @@ }, "@timestamp": "2021-05-05T19:02:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3071,8 +3097,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:03.330785142Z", - "original": "%ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", + "ingested": "2021-06-09T10:11:10.716222900Z", + "original": "May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", "code": "710005", "kind": "event", "action": "firewall-rule", @@ -3080,13 +3106,14 @@ "network" ], "type": [ - "info" - ] + "info", + "denied" + ], + "outcome": "failure" }, "cisco": { "asa": { - "destination_interface": "net", - "message_id": "710005" + "destination_interface": "net" } } }, @@ -3099,7 +3126,7 @@ }, "@timestamp": "2021-05-05T19:02:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3114,8 +3141,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330786568Z", - "original": "%ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout", + "ingested": "2021-06-09T10:11:10.716227800Z", + "original": "May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout", "code": "302025", "kind": "event", "action": "firewall-rule", @@ -3127,9 +3154,7 @@ ] }, "cisco": { - "asa": { - "message_id": "302025" - } + "asa": {} }, "tags": [ "preserve_original_event" @@ -3144,7 +3169,7 @@ }, "@timestamp": "2021-05-05T19:02:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3159,8 +3184,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330788038Z", - "original": "%ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123)", + "ingested": "2021-06-09T10:11:10.716232500Z", + "original": "May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123)", "code": "302024", "kind": "event", "action": "firewall-rule", @@ -3172,9 +3197,7 @@ ] }, "cisco": { - "asa": { - "message_id": "302024" - } + "asa": {} }, "tags": [ "preserve_original_event" @@ -3185,7 +3208,7 @@ "level": "error" }, "destination": { - "address": "10.10.10.10(type", + "address": "10.10.10.10", "ip": "10.10.10.10" }, "source": { @@ -3218,7 +3241,7 @@ }, "@timestamp": "2021-05-05T19:02:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3233,8 +3256,8 @@ }, "event": { "severity": 3, - "ingested": "2021-06-03T06:53:03.330789443Z", - "original": "%ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", + "ingested": "2021-06-09T10:11:10.716236900Z", + "original": "May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", "code": "106014", "kind": "event", "action": "firewall-rule", @@ -3245,13 +3268,12 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "fw111", - "source_interface": "fw111", - "message_id": "106014" + "source_interface": "fw111" } } }, @@ -3264,7 +3286,7 @@ }, "@timestamp": "2021-05-05T19:02:25.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3279,8 +3301,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:03.330790832Z", - "original": "%ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063", + "ingested": "2021-06-09T10:11:10.716241200Z", + "original": "May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063", "code": "733100", "kind": "event", "action": "firewall-rule", @@ -3293,7 +3315,6 @@ }, "cisco": { "asa": { - "message_id": "733100", "burst": { "configured_avg_rate": "-4", "cumulative_count": "9063", @@ -3348,7 +3369,7 @@ }, "@timestamp": "2021-05-05T19:02:25.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3363,8 +3384,8 @@ }, "event": { "severity": 3, - "ingested": "2021-06-03T06:53:03.330792285Z", - "original": "%ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", + "ingested": "2021-06-09T10:11:10.716245400Z", + "original": "May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", "code": "106010", "kind": "event", "action": "firewall-rule", @@ -3375,13 +3396,12 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "fw111", - "source_interface": "fw111", - "message_id": "106010" + "source_interface": "fw111" } } }, @@ -3424,7 +3444,7 @@ }, "@timestamp": "2021-05-05T19:02:25.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3440,8 +3460,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:03.330793662Z", - "original": "%ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet.", + "ingested": "2021-06-09T10:11:10.716249500Z", + "original": "May 5 19:02:25 dev01: %ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet.", "code": "507003", "kind": "event", "action": "firewall-rule", @@ -3455,8 +3475,7 @@ "cisco": { "asa": { "destination_interface": "out111", - "source_interface": "fw111", - "message_id": "507003" + "source_interface": "fw111" } } }, @@ -3473,7 +3492,10 @@ "ip": "10.20.30.40" }, "url": { - "original": "http://10.20.30.40/" + "path": "/", + "original": "http://10.20.30.40/", + "scheme": "http", + "domain": "10.20.30.40" }, "tags": [ "preserve_original_event" @@ -3486,7 +3508,7 @@ }, "@timestamp": "2021-04-27T04:18:49.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3501,8 +3523,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:03.330795174Z", - "original": "%ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", + "ingested": "2021-06-09T10:11:10.716253800Z", + "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -3513,12 +3535,10 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { - "asa": { - "message_id": "304001" - } + "asa": {} } }, { @@ -3534,7 +3554,10 @@ "ip": "10.20.30.40" }, "url": { - "original": "http://10.20.30.40/IOFUHSIU98[0]" + "path": "/IOFUHSIU98[0]", + "original": "http://10.20.30.40/IOFUHSIU98[0]", + "scheme": "http", + "domain": "10.20.30.40" }, "tags": [ "preserve_original_event" @@ -3547,7 +3570,7 @@ }, "@timestamp": "2021-04-27T04:18:49.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3562,8 +3585,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:03.330796579Z", - "original": "%ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", + "ingested": "2021-06-09T10:11:10.716258Z", + "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -3574,12 +3597,10 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { - "asa": { - "message_id": "304001" - } + "asa": {} } }, { @@ -3595,7 +3616,10 @@ "ip": "10.20.30.40" }, "url": { - "original": "http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23" + "path": "/some/longer/url-asd-er9789870[0]_=23", + "original": "http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", + "scheme": "http", + "domain": "10.20.30.40" }, "tags": [ "preserve_original_event" @@ -3608,7 +3632,7 @@ }, "@timestamp": "2021-04-27T17:54:52.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3623,8 +3647,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:03.330797988Z", - "original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", + "ingested": "2021-06-09T10:11:10.716262Z", + "original": "Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -3635,12 +3659,10 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { - "asa": { - "message_id": "304001" - } + "asa": {} } }, { @@ -3656,7 +3678,10 @@ "ip": "10.20.30.40" }, "url": { - "original": "http://10.20.30.40/" + "path": "/", + "original": "http://10.20.30.40/", + "scheme": "http", + "domain": "10.20.30.40" }, "tags": [ "preserve_original_event" @@ -3669,7 +3694,7 @@ }, "@timestamp": "2021-04-27T04:18:49.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3684,8 +3709,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:03.330799377Z", - "original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", + "ingested": "2021-06-09T10:11:10.716266400Z", + "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -3696,12 +3721,10 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { - "asa": { - "message_id": "304001" - } + "asa": {} } }, { @@ -3774,7 +3797,7 @@ }, "@timestamp": "2021-04-27T04:12:23.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3791,8 +3814,9 @@ "event": { "severity": 6, "duration": 3602000000000, - "ingested": "2021-06-03T06:53:03.330800848Z", - "original": "%ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout", + "reason": "Connection timeout", + "ingested": "2021-06-09T10:11:10.716270600Z", + "original": "Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout", "code": "302304", "kind": "event", "start": "2021-04-27T03:12:21.000Z", @@ -3809,7 +3833,6 @@ "cisco": { "asa": { "destination_interface": "server.deflan", - "message_id": "302304", "connection_id": "2751765169", "source_interface": "server.deflan" } @@ -3854,7 +3877,7 @@ }, "@timestamp": "2021-04-27T02:02:02.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3870,8 +3893,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:03.330802248Z", - "original": "%ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", + "ingested": "2021-06-09T10:11:10.716274700Z", + "original": "Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -3882,12 +3905,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "srv", - "message_id": "106023", "rule_name": "global_access_1", "source_interface": "outside" } @@ -3950,7 +3972,7 @@ }, "@timestamp": "2019-10-20T15:15:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3966,8 +3988,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:03.330803725Z", - "original": "%ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -\u003e OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "ingested": "2021-06-09T10:11:10.716278700Z", + "original": "Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -\u003e OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -3978,12 +4000,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "OUTSIDE", - "message_id": "106100", "rule_name": "testrulename", "source_interface": "insideintf" } @@ -4008,7 +4029,7 @@ }, "@timestamp": "2021-04-27T02:03:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4021,13 +4042,14 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:03.330805137Z", - "original": "%ASA-5-111004: console end configuration: OK", + "ingested": "2021-06-09T10:11:10.716282700Z", + "original": "Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK", "code": "111004", "kind": "event", "action": "firewall-rule", "type": [ - "info" + "info", + "allowed" ], "category": [ "network" @@ -4035,9 +4057,7 @@ "outcome": "success" }, "cisco": { - "asa": { - "message_id": "111004" - } + "asa": {} } }, { @@ -4059,7 +4079,7 @@ }, "@timestamp": "2021-04-27T02:03:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4080,8 +4100,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:03.330806591Z", - "original": "%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear'", + "ingested": "2021-06-09T10:11:10.716286800Z", + "original": "Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear'", "code": "111010", "kind": "event", "action": "firewall-rule", @@ -4094,7 +4114,6 @@ }, "cisco": { "asa": { - "message_id": "111010", "command_line_arguments": "'clear'" } } @@ -4108,7 +4127,7 @@ }, "@timestamp": "2021-04-27T02:03:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4129,8 +4148,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:03.330808046Z", - "original": "%ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15", + "ingested": "2021-06-09T10:11:10.716290900Z", + "original": "Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15", "code": "502103", "kind": "event", "action": "firewall-rule", @@ -4143,7 +4162,6 @@ }, "cisco": { "asa": { - "message_id": "502103", "privilege": { "new": "15", "old": "1" @@ -4189,7 +4207,7 @@ }, "@timestamp": "2021-04-27T02:03:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4208,8 +4226,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330809508Z", - "original": "%ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", + "ingested": "2021-06-09T10:11:10.716295Z", + "original": "Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", "code": "605004", "kind": "event", "action": "firewall-rule", @@ -4220,12 +4238,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "destination_interface": "FCD-FS-LAN", - "message_id": "605004" + "destination_interface": "FCD-FS-LAN" } } }, @@ -4248,7 +4265,7 @@ }, "@timestamp": "2021-04-27T02:03:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4269,8 +4286,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330810928Z", - "original": "%ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin", + "ingested": "2021-06-09T10:11:10.716299Z", + "original": "Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin", "code": "611102", "kind": "event", "action": "firewall-rule", @@ -4283,9 +4300,7 @@ "outcome": "failed" }, "cisco": { - "asa": { - "message_id": "611102" - } + "asa": {} } }, { @@ -4323,7 +4338,7 @@ }, "@timestamp": "2021-04-27T02:03:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4342,8 +4357,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330812445Z", - "original": "%ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", + "ingested": "2021-06-09T10:11:10.716303Z", + "original": "Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", "code": "605005", "kind": "event", "action": "firewall-rule", @@ -4354,12 +4369,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { - "destination_interface": "FCD-FS-LAN", - "message_id": "605005" + "destination_interface": "FCD-FS-LAN" } } }, @@ -4382,7 +4396,7 @@ }, "@timestamp": "2021-04-27T02:03:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4403,8 +4417,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330814578Z", - "original": "%ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin", + "ingested": "2021-06-09T10:11:10.716307Z", + "original": "Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin", "code": "611101", "kind": "event", "action": "firewall-rule", @@ -4417,9 +4431,7 @@ "outcome": "succeeded" }, "cisco": { - "asa": { - "message_id": "611101" - } + "asa": {} } }, { @@ -4459,7 +4471,7 @@ }, "@timestamp": "2021-04-27T02:03:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4474,8 +4486,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:03.330816078Z", - "original": "%ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", + "ingested": "2021-06-09T10:11:10.716311100Z", + "original": "Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", "code": "713049", "kind": "event", "action": "firewall-rule", @@ -4487,9 +4499,7 @@ ] }, "cisco": { - "asa": { - "message_id": "713049" - } + "asa": {} } }, { @@ -4536,7 +4546,7 @@ }, "@timestamp": "2021-04-27T02:03:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4555,8 +4565,8 @@ "event": { "severity": 4, "duration": 0, - "ingested": "2021-06-03T06:53:03.330817520Z", - "original": "%ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", + "ingested": "2021-06-09T10:11:10.716315100Z", + "original": "Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", "code": "113019", "kind": "event", "start": "2021-04-27T02:03:03.000Z", @@ -4570,9 +4580,7 @@ ] }, "cisco": { - "asa": { - "message_id": "113019" - } + "asa": {} } }, { @@ -4580,26 +4588,11 @@ "level": "warning" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "8.8.8.8", "user": { - "name": "testuser" + "name": "john" }, - "ip": "8.8.8.8" + "address": "192.168.50.3", + "ip": "192.168.50.3" }, "tags": [ "preserve_original_event" @@ -4612,17 +4605,17 @@ }, "@timestamp": "2021-04-27T02:03:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ - "testuser" + "john" ], "hosts": [ "dev01" ], "ip": [ - "8.8.8.8" + "192.168.50.3" ] }, "host": { @@ -4630,8 +4623,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:03.330818994Z", - "original": "%ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 IPv4 Address 8.8.4.4 IPv6 address 2001:4860:4860::8888 assigned to session", + "ingested": "2021-06-09T10:11:10.716319Z", + "original": "Apr 27 02:03:03 dev01: %ASA-4-722051: Group \u003cVPN5Policy\u003e User \u003cjohn\u003e IP \u003c192.168.50.3\u003e IPv4 Address \u003c192.168.50.5\u003e IPv6 address \u003c::\u003e assigned to session", "code": "722051", "kind": "event", "action": "firewall-rule", @@ -4644,8 +4637,10 @@ }, "cisco": { "asa": { - "message_id": "722051", - "assigned_ip": "8.8.4.4" + "webvpn": { + "group_name": "VPN5Policy" + }, + "assigned_ip": "192.168.50.5" } } }, @@ -4686,7 +4681,7 @@ }, "@timestamp": "2021-04-27T02:03:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4704,8 +4699,9 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:03.330820368Z", - "original": "%ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.", + "reason": "User Requested", + "ingested": "2021-06-09T10:11:10.716323Z", + "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.", "code": "716002", "kind": "event", "action": "firewall-rule", @@ -4718,13 +4714,76 @@ }, "cisco": { "asa": { - "message_id": "716002" + "webvpn": { + "group_name": "another-policy" + } } } }, { "log": { - "level": "error" + "level": "informational" + }, + "source": { + "user": { + "name": "alice" + }, + "address": "192.168.50.1", + "ip": "192.168.50.1" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2021-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "alice" + ], + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.50.1" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "reason": "Idle timeout", + "ingested": "2021-06-09T10:11:10.716328400Z", + "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout.", + "code": "716002", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "webvpn": { + "group_name": "another-policy" + } + } + } + }, + { + "log": { + "level": "error" }, "destination": { "geo": { @@ -4792,7 +4851,7 @@ }, "@timestamp": "2021-04-27T02:03:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4808,8 +4867,8 @@ }, "event": { "severity": 3, - "ingested": "2021-06-03T06:53:03.330821840Z", - "original": "%ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23", + "ingested": "2021-06-09T10:11:10.716332600Z", + "original": "Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23", "code": "710003", "kind": "event", "action": "firewall-rule", @@ -4817,14 +4876,1086 @@ "network" ], "type": [ - "info" + "info", + "denied" + ], + "outcome": "failure" + }, + "cisco": { + "asa": { + "destination_interface": "outside" + } + } + }, + { + "log": { + "level": "notification" + }, + "destination": { + "port": 123123, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0247, + "lat": 51.5888 + } + }, + "as": { + "number": 201126, + "organization": { + "name": "CDW Ltd" + } + }, + "address": "91.240.17.178", + "port": 8888, + "ip": "91.240.17.178" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "destinationInterfaceName" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "sourceInterfaceName" + } + } + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "91.240.17.178", + "192.168.2.2" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 5, + "ingested": "2021-06-09T10:11:10.716336800Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally", + "code": "434004", + "kind": "event", + "action": "bypass", + "category": [ + "network" + ], + "type": [ + "info", + "change" + ], + "outcome": "unknown" + }, + "cisco": { + "asa": { + "destination_interface": "destinationInterfaceName", + "source_interface": "sourceInterfaceName" + } + } + }, + { + "log": { + "level": "warning" + }, + "destination": { + "port": 514514, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0247, + "lat": 51.5888 + } + }, + "as": { + "number": 201126, + "organization": { + "name": "CDW Ltd" + } + }, + "address": "91.240.17.138", + "port": 8888, + "ip": "91.240.17.138" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "destinationInterfaceName" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "sourceInterfaceName" + } + } + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "91.240.17.138", + "192.168.2.2" ] }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "action": "drop", + "ingested": "2021-06-09T10:11:10.716341100Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514", + "code": "434002", + "outcome": "unknown" + }, "cisco": { "asa": { - "destination_interface": "outside", - "message_id": "710003" + "destination_interface": "destinationInterfaceName", + "source_interface": "sourceInterfaceName" + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "port": 123412, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0247, + "lat": 51.5888 + } + }, + "as": { + "number": 201126, + "organization": { + "name": "CDW Ltd" + } + }, + "address": "91.240.17.178", + "port": 7777, + "ip": "91.240.17.178" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "tcp" + }, + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "sourceInterfaceName" + } } + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "91.240.17.178", + "192.168.2.2" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "reason": "Failed to locate egress interface", + "ingested": "2021-06-09T10:11:10.716346600Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412", + "code": "110002", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "failure" + }, + "cisco": { + "asa": { + "source_interface": "sourceInterfaceName" + } + } + }, + { + "log": { + "level": "warning" + }, + "destination": { + "port": 514514, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0247, + "lat": 51.5888 + } + }, + "as": { + "number": 201126, + "organization": { + "name": "CDW Ltd" + } + }, + "address": "91.240.17.178", + "port": 7777, + "ip": "91.240.17.178" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "destinationInterfaceName" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "sourceInterfaceName" + } + } + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "91.240.17.178", + "192.168.2.2" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "reason": "Duplicate TCP SYN with different initial sequence number", + "ingested": "2021-06-09T10:11:10.716351100Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number", + "code": "419002", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "destinationInterfaceName", + "source_interface": "sourceInterfaceName" + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0247, + "lat": 51.5888 + } + }, + "as": { + "number": 201126, + "organization": { + "name": "CDW Ltd" + } + }, + "address": "91.240.17.178", + "ip": "91.240.17.178" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "type": "ipsec", + "inner": "LAN-to-LAN", + "direction": "outbound" + }, + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "admin" + ], + "hosts": [ + "dev01" + ], + "ip": [ + "91.240.17.178", + "192.168.2.2" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "action": "created", + "ingested": "2021-06-09T10:11:10.716356Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created.", + "code": "602303", + "outcome": "success" + }, + "user": { + "name": "admin" + }, + "cisco": { + "asa": {} + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0247, + "lat": 51.5888 + } + }, + "as": { + "number": 201126, + "organization": { + "name": "CDW Ltd" + } + }, + "address": "91.240.17.178", + "ip": "91.240.17.178" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "type": "ipsec", + "inner": "LAN-to-LAN", + "direction": "outbound" + }, + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "admin" + ], + "hosts": [ + "dev01" + ], + "ip": [ + "91.240.17.178", + "192.168.2.2" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "ingested": "2021-06-09T10:11:10.716360100Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted.", + "code": "602304", + "kind": "event", + "action": "deleted", + "category": [ + "network" + ], + "type": [ + "info", + "deletion", + "user", + "allowed" + ], + "outcome": "success" + }, + "user": { + "name": "admin" + }, + "cisco": { + "asa": {} + } + }, + { + "log": { + "level": "notification" + }, + "destination": { + "port": 7777, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0247, + "lat": 51.5888 + } + }, + "as": { + "number": 201126, + "organization": { + "name": "CDW Ltd" + } + }, + "address": "91.240.17.178", + "port": 7777, + "ip": "91.240.17.178" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "admin" + ], + "hosts": [ + "dev01" + ], + "ip": [ + "91.240.17.178", + "192.168.2.2" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 5, + "reason": "Received a IKE_INIT_SA request", + "ingested": "2021-06-09T10:11:10.716364300Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request", + "code": "750002", + "kind": "event", + "action": "connection-started", + "category": [ + "network" + ], + "type": [ + "connection", + "start" + ] + }, + "user": { + "name": "admin" + }, + "cisco": { + "asa": {} + } + }, + { + "log": { + "level": "warning" + }, + "destination": { + "port": 7777, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0247, + "lat": 51.5888 + } + }, + "as": { + "number": 201126, + "organization": { + "name": "CDW Ltd" + } + }, + "address": "91.240.17.178", + "port": 7777, + "ip": "91.240.17.178" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "admin" + ], + "hosts": [ + "dev01" + ], + "ip": [ + "91.240.17.178", + "192.168.2.2" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "reason": "Negotiation aborted due to Failed to locate an item in the database", + "ingested": "2021-06-09T10:11:10.716368200Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database", + "code": "750003", + "kind": "event", + "action": "error", + "type": [ + "error" + ], + "category": [ + "network" + ] + }, + "user": { + "name": "admin" + }, + "cisco": { + "asa": {} + } + }, + { + "log": { + "level": "notification" + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "192.128.1.1", + "ip": "192.128.1.1" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.128.1.1" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 5, + "reason": "PHASE 2 COMPLETED", + "ingested": "2021-06-09T10:11:10.716372300Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)", + "code": "713120", + "kind": "event", + "action": "firewall-rule", + "id": "bbe383e88", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "success" + }, + "cisco": { + "asa": {} + } + }, + { + "log": { + "level": "notification" + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "192.64.157.61", + "ip": "192.64.157.61" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.64.157.61" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 5, + "reason": "Duplicate first packet detected", + "ingested": "2021-06-09T10:11:10.716376200Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet.", + "code": "713202", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": {} + } + }, + { + "log": { + "level": "informational" + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "192.128.1.1", + "ip": "192.128.1.1" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.128.1.1" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "reason": "All IPSec SA proposals found unacceptable!", + "ingested": "2021-06-09T10:11:10.716380100Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "code": "713905", + "kind": "event", + "action": "error", + "type": [ + "error", + "denied" + ], + "category": [ + "network" + ], + "outcome": "failure" + }, + "cisco": { + "asa": {} + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "reason": "All IPSec SA proposals found unacceptable!", + "ingested": "2021-06-09T10:11:10.716383800Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable!", + "code": "713904", + "kind": "event", + "action": "error", + "type": [ + "error", + "denied" + ], + "category": [ + "network" + ], + "outcome": "failure" + }, + "cisco": { + "asa": {} + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "ingested": "2021-06-09T10:11:10.716387600Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "code": "713903", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": {} + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "reason": "All IPSec SA proposals found unacceptable!", + "ingested": "2021-06-09T10:11:10.716391400Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!", + "code": "713902", + "kind": "event", + "action": "error", + "type": [ + "error", + "denied" + ], + "category": [ + "network" + ], + "outcome": "failure" + }, + "cisco": { + "asa": {} + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "log": { + "level": "informational" + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "192.128.1.1", + "ip": "192.128.1.1" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.128.1.1" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "reason": "All IPSec SA proposals found unacceptable!", + "ingested": "2021-06-09T10:11:10.716395200Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "code": "713901", + "kind": "event", + "action": "error", + "type": [ + "error", + "denied" + ], + "category": [ + "network" + ], + "outcome": "failure" + }, + "cisco": { + "asa": {} } } ] diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json index ef35462db86..20f6ab1bc85 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -40,7 +40,7 @@ }, "@timestamp": "2020-04-17T14:08:08.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -57,8 +57,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:05.971960714Z", - "original": "%ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", + "ingested": "2021-06-09T10:11:13.122896Z", + "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "code": "302016", "kind": "event", "start": "2020-04-17T14:08:08.000Z", @@ -76,7 +76,7 @@ "asa": { "source_username": "(LOCAL\\Elastic)", "destination_interface": "Inside", - "message_id": "302016", + "termination_user": "zzzzzz", "connection_id": "110577675", "source_interface": "Outside" } @@ -119,7 +119,7 @@ }, "@timestamp": "2020-04-17T14:00:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -134,8 +134,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:05.971967472Z", - "original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.122912100Z", + "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -146,12 +146,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "Outside", - "message_id": "106023", "rule_name": "Inside_access_in", "source_interface": "Inside" } @@ -195,7 +194,7 @@ }, "@timestamp": "2013-04-15T09:36:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -204,8 +203,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:05.971968980Z", - "original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", + "ingested": "2021-06-09T10:11:13.122916200Z", + "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -216,12 +215,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106023", "rule_name": "acl_dmz", "source_interface": "dmz" } @@ -266,7 +264,7 @@ }, "@timestamp": "2020-04-17T14:16:20.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -281,8 +279,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:05.971970368Z", - "original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.122919700Z", + "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -293,13 +291,12 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "source_username": "(LOCAL\\Elastic)", "destination_interface": "Outside", - "message_id": "106023", "rule_name": "Inside_access_in", "source_interface": "Inside" } @@ -328,7 +325,7 @@ }, "@timestamp": "2020-04-17T14:15:07.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -343,8 +340,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:05.971971748Z", - "original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", + "ingested": "2021-06-09T10:11:13.122922600Z", + "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "code": "106017", "kind": "event", "action": "firewall-rule", @@ -355,12 +352,10 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { - "asa": { - "message_id": "106017" - } + "asa": {} } }, { @@ -391,7 +386,7 @@ }, "@timestamp": "2020-04-17T14:15:07.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -406,8 +401,8 @@ }, "event": { "severity": 3, - "ingested": "2021-06-03T06:53:05.971973067Z", - "original": "%ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", + "ingested": "2021-06-09T10:11:13.122925400Z", + "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", "code": "313008", "kind": "event", "action": "firewall-rule", @@ -418,14 +413,13 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "icmp_type": 134, - "message_id": "313008", - "icmp_code": 0, - "source_interface": "ISP1" + "source_interface": "ISP1", + "icmp_code": 0 } } }, @@ -467,7 +461,7 @@ }, "@timestamp": "2020-06-08T12:59:57.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -477,8 +471,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:05.971974392Z", - "original": "%ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", + "ingested": "2021-06-09T10:11:13.122928300Z", + "original": "Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", "code": "313009", "kind": "event", "action": "firewall-rule", @@ -489,7 +483,7 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { @@ -499,7 +493,6 @@ "mapped_source_ip": "10.255.0.206", "source_interface": "Inside", "mapped_destination_port": 0, - "message_id": "313009", "icmp_code": 9 } } @@ -542,7 +535,7 @@ }, "@timestamp": "2019-10-20T15:42:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -552,8 +545,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:05.971975706Z", - "original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", + "ingested": "2021-06-09T10:11:13.122931100Z", + "original": "Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -564,12 +557,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106100", "rule_name": "incoming", "source_interface": "dmz2" } @@ -613,7 +605,7 @@ }, "@timestamp": "2019-10-20T15:42:54.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -623,8 +615,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:05.971977012Z", - "original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", + "ingested": "2021-06-09T10:11:13.122934700Z", + "original": "Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -635,12 +627,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106100", "rule_name": "incoming", "source_interface": "dmz2" } @@ -684,7 +675,7 @@ }, "@timestamp": "2020-08-06T11:01:37.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -697,8 +688,8 @@ }, "event": { "severity": 3, - "ingested": "2021-06-03T06:53:05.971978321Z", - "original": "%ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -\u003e inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", + "ingested": "2021-06-09T10:11:13.122938500Z", + "original": "Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -\u003e inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", "code": "106102", "kind": "event", "action": "firewall-rule", @@ -709,7 +700,7 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "redacted" @@ -717,7 +708,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106102", "suffix": "session", "rule_name": "dev_inward_client", "source_interface": "outside" @@ -773,7 +763,7 @@ }, "@timestamp": "2020-08-06T11:01:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -786,8 +776,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:05.971979648Z", - "original": "%ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -\u003e outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", + "ingested": "2021-06-09T10:11:13.122941400Z", + "original": "Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -\u003e outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", "code": "106103", "kind": "event", "action": "firewall-rule", @@ -798,7 +788,7 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "user": { "name": "joe" @@ -806,7 +796,6 @@ "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106103", "rule_name": "filter", "source_interface": "inside" } diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json index 1c300e0f7eb..2e25196cc73 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json @@ -43,7 +43,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -59,8 +59,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431222405Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", + "ingested": "2021-06-09T10:11:13.439115800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -74,8 +74,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -123,7 +122,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -139,8 +138,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431231152Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "ingested": "2021-06-09T10:11:13.439131600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -159,8 +158,7 @@ "mapped_source_ip": "100.66.205.104", "connection_id": "11757", "source_interface": "outside", - "mapped_destination_port": 1772, - "message_id": "302013" + "mapped_destination_port": 1772 } } }, @@ -208,7 +206,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -225,8 +223,9 @@ "event": { "severity": 6, "duration": 67000000000, - "ingested": "2021-06-03T06:53:06.431233817Z", - "original": "%ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439135500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -243,7 +242,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11749", "source_interface": "outside" } @@ -293,7 +291,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -310,8 +308,9 @@ "event": { "severity": 6, "duration": 67000000000, - "ingested": "2021-06-03T06:53:06.431235335Z", - "original": "%ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439138600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -328,7 +327,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11748", "source_interface": "outside" } @@ -378,7 +376,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -395,8 +393,9 @@ "event": { "severity": 6, "duration": 67000000000, - "ingested": "2021-06-03T06:53:06.431236881Z", - "original": "%ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439141300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -413,7 +412,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11745", "source_interface": "outside" } @@ -463,7 +461,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -480,8 +478,9 @@ "event": { "severity": 6, "duration": 67000000000, - "ingested": "2021-06-03T06:53:06.431238532Z", - "original": "%ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439144100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -498,7 +497,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11744", "source_interface": "outside" } @@ -548,7 +546,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -565,8 +563,9 @@ "event": { "severity": 6, "duration": 68000000000, - "ingested": "2021-06-03T06:53:06.431239986Z", - "original": "%ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439146700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -583,7 +582,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11742", "source_interface": "outside" } @@ -633,7 +631,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -650,8 +648,9 @@ "event": { "severity": 6, "duration": 68000000000, - "ingested": "2021-06-03T06:53:06.431241374Z", - "original": "%ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439149300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -668,7 +667,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11738", "source_interface": "outside" } @@ -718,7 +716,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -735,8 +733,9 @@ "event": { "severity": 6, "duration": 68000000000, - "ingested": "2021-06-03T06:53:06.431242747Z", - "original": "%ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439151800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -753,7 +752,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11739", "source_interface": "outside" } @@ -803,7 +801,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -820,8 +818,9 @@ "event": { "severity": 6, "duration": 69000000000, - "ingested": "2021-06-03T06:53:06.431244112Z", - "original": "%ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439154200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -838,7 +837,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11731", "source_interface": "outside" } @@ -888,7 +886,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -905,8 +903,9 @@ "event": { "severity": 6, "duration": 69000000000, - "ingested": "2021-06-03T06:53:06.431246428Z", - "original": "%ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439156800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -923,7 +922,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11723", "source_interface": "outside" } @@ -973,7 +971,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -990,8 +988,9 @@ "event": { "severity": 6, "duration": 69000000000, - "ingested": "2021-06-03T06:53:06.431248479Z", - "original": "%ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439159600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1008,7 +1007,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11715", "source_interface": "outside" } @@ -1058,7 +1056,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1075,8 +1073,9 @@ "event": { "severity": 6, "duration": 69000000000, - "ingested": "2021-06-03T06:53:06.431250257Z", - "original": "%ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439162100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1093,7 +1092,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11711", "source_interface": "outside" } @@ -1143,7 +1141,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1160,8 +1158,9 @@ "event": { "severity": 6, "duration": 69000000000, - "ingested": "2021-06-03T06:53:06.431251925Z", - "original": "%ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439164600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1178,7 +1177,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11712", "source_interface": "outside" } @@ -1228,7 +1226,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1245,8 +1243,9 @@ "event": { "severity": 6, "duration": 70000000000, - "ingested": "2021-06-03T06:53:06.431253269Z", - "original": "%ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439167100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:46.000Z", @@ -1263,7 +1262,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11708", "source_interface": "outside" } @@ -1313,7 +1311,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1330,8 +1328,9 @@ "event": { "severity": 6, "duration": 67000000000, - "ingested": "2021-06-03T06:53:06.431254850Z", - "original": "%ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439169800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -1348,7 +1347,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11746", "source_interface": "outside" } @@ -1398,7 +1396,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1415,8 +1413,9 @@ "event": { "severity": 6, "duration": 70000000000, - "ingested": "2021-06-03T06:53:06.431256385Z", - "original": "%ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439172300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:46.000Z", @@ -1433,7 +1432,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11706", "source_interface": "outside" } @@ -1483,7 +1481,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1500,8 +1498,9 @@ "event": { "severity": 6, "duration": 71000000000, - "ingested": "2021-06-03T06:53:06.431257752Z", - "original": "%ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439175Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:45.000Z", @@ -1518,7 +1517,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11702", "source_interface": "outside" } @@ -1568,7 +1566,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1585,8 +1583,9 @@ "event": { "severity": 6, "duration": 30000000000, - "ingested": "2021-06-03T06:53:06.431259143Z", - "original": "%ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", + "reason": "SYN Timeout", + "ingested": "2021-06-09T10:11:13.439177500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:26.000Z", @@ -1603,7 +1602,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11753", "source_interface": "outside" } @@ -1652,7 +1650,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1668,8 +1666,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431260548Z", - "original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", + "ingested": "2021-06-09T10:11:13.439180Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -1683,8 +1681,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -1732,7 +1729,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1748,8 +1745,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431261891Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439182400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1768,8 +1765,7 @@ "mapped_source_ip": "100.66.80.32", "connection_id": "11758", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -1817,7 +1813,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1834,8 +1830,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431263430Z", - "original": "%ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", + "ingested": "2021-06-09T10:11:13.439185Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -1852,7 +1848,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11758", "source_interface": "outside" } @@ -1902,7 +1897,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1918,8 +1913,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431264782Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439187600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1938,8 +1933,7 @@ "mapped_source_ip": "100.66.252.6", "connection_id": "11759", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -1987,7 +1981,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2004,8 +1998,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431266324Z", - "original": "%ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", + "ingested": "2021-06-09T10:11:13.439191Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2022,7 +2016,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11759", "source_interface": "outside" } @@ -2071,7 +2064,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2087,8 +2080,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431267673Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", + "ingested": "2021-06-09T10:11:13.439193800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2102,8 +2095,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -2151,7 +2143,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2167,8 +2159,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431269061Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "ingested": "2021-06-09T10:11:13.439196700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2187,8 +2179,7 @@ "mapped_source_ip": "100.66.252.226", "connection_id": "11760", "source_interface": "outside", - "mapped_destination_port": 1773, - "message_id": "302013" + "mapped_destination_port": 1773 } } }, @@ -2235,7 +2226,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2251,8 +2242,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431270744Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", + "ingested": "2021-06-09T10:11:13.439199100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2266,8 +2257,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -2315,7 +2305,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2331,8 +2321,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431272218Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "ingested": "2021-06-09T10:11:13.439202400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2351,8 +2341,7 @@ "mapped_source_ip": "100.66.252.226", "connection_id": "11761", "source_interface": "outside", - "mapped_destination_port": 1774, - "message_id": "302013" + "mapped_destination_port": 1774 } } }, @@ -2400,7 +2389,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2416,8 +2405,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431273777Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439205100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2436,8 +2425,7 @@ "mapped_source_ip": "100.66.238.126", "connection_id": "11762", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -2485,7 +2473,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2501,8 +2489,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431275155Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439208100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2521,8 +2509,7 @@ "mapped_source_ip": "100.66.93.51", "connection_id": "11763", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -2570,7 +2557,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2587,8 +2574,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431276496Z", - "original": "%ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", + "ingested": "2021-06-09T10:11:13.439210900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2605,7 +2592,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11762", "source_interface": "outside" } @@ -2655,7 +2641,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2672,8 +2658,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431277958Z", - "original": "%ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", + "ingested": "2021-06-09T10:11:13.439214300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2690,7 +2676,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11763", "source_interface": "outside" } @@ -2739,7 +2724,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2755,8 +2740,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431279493Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", + "ingested": "2021-06-09T10:11:13.439217100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2770,8 +2755,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -2819,7 +2803,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2835,8 +2819,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431280870Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "ingested": "2021-06-09T10:11:13.439219900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2855,8 +2839,7 @@ "mapped_source_ip": "100.66.225.103", "connection_id": "11764", "source_interface": "outside", - "mapped_destination_port": 1775, - "message_id": "302013" + "mapped_destination_port": 1775 } } }, @@ -2903,7 +2886,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2919,8 +2902,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431282335Z", - "original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", + "ingested": "2021-06-09T10:11:13.439222500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2934,8 +2917,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -2983,7 +2965,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2999,8 +2981,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431283699Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439225Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3019,8 +3001,7 @@ "mapped_source_ip": "100.66.240.126", "connection_id": "11772", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -3068,7 +3049,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3084,8 +3065,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431285032Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439227500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3104,8 +3085,7 @@ "mapped_source_ip": "100.66.44.45", "connection_id": "11773", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -3153,7 +3133,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3170,8 +3150,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431286506Z", - "original": "%ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", + "ingested": "2021-06-09T10:11:13.439230200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3188,7 +3168,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11772", "source_interface": "outside" } @@ -3238,7 +3217,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3255,8 +3234,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431288865Z", - "original": "%ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", + "ingested": "2021-06-09T10:11:13.439232700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3273,7 +3252,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11773", "source_interface": "outside" } @@ -3322,7 +3300,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3338,8 +3316,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431290431Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", + "ingested": "2021-06-09T10:11:13.439237400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -3353,8 +3331,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -3402,7 +3379,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3418,8 +3395,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431291783Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "ingested": "2021-06-09T10:11:13.439240100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3438,8 +3415,7 @@ "mapped_source_ip": "100.66.179.219", "connection_id": "11774", "source_interface": "outside", - "mapped_destination_port": 1452, - "message_id": "302013" + "mapped_destination_port": 1452 } } }, @@ -3487,7 +3463,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3503,8 +3479,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431293216Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439242600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3523,8 +3499,7 @@ "mapped_source_ip": "100.66.157.232", "connection_id": "11775", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -3572,7 +3547,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3588,8 +3563,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431294586Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439245200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3608,8 +3583,7 @@ "mapped_source_ip": "100.66.178.133", "connection_id": "11776", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -3657,7 +3631,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3674,8 +3648,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431296269Z", - "original": "%ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", + "ingested": "2021-06-09T10:11:13.439247700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3692,7 +3666,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11775", "source_interface": "outside" } @@ -3742,7 +3715,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3759,8 +3732,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431298020Z", - "original": "%ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", + "ingested": "2021-06-09T10:11:13.439250300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3777,7 +3750,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11776", "source_interface": "outside" } @@ -3826,7 +3798,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3842,8 +3814,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431299700Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", + "ingested": "2021-06-09T10:11:13.439252900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -3857,8 +3829,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -3906,7 +3877,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3922,8 +3893,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431301270Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "ingested": "2021-06-09T10:11:13.439255400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3942,8 +3913,7 @@ "mapped_source_ip": "100.66.133.112", "connection_id": "11777", "source_interface": "outside", - "mapped_destination_port": 1453, - "message_id": "302013" + "mapped_destination_port": 1453 } } }, @@ -3991,7 +3961,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4008,8 +3978,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431302985Z", - "original": "%ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439258Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4026,7 +3997,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11777", "source_interface": "outside" } @@ -4076,7 +4046,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4092,8 +4062,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431304381Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439260600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -4112,8 +4082,7 @@ "mapped_source_ip": "100.66.204.197", "connection_id": "11779", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -4161,7 +4130,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4178,8 +4147,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431305918Z", - "original": "%ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-06-09T10:11:13.439263200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4196,7 +4165,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11778", "source_interface": "outside" } @@ -4246,7 +4214,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4263,8 +4231,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431307571Z", - "original": "%ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", + "ingested": "2021-06-09T10:11:13.439265900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4281,7 +4249,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11779", "source_interface": "outside" } @@ -4330,7 +4297,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4346,8 +4313,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431309269Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", + "ingested": "2021-06-09T10:11:13.439268300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4361,8 +4328,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -4410,7 +4376,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4426,8 +4392,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431310857Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "ingested": "2021-06-09T10:11:13.439270900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4446,8 +4412,7 @@ "mapped_source_ip": "100.66.128.3", "connection_id": "11780", "source_interface": "outside", - "mapped_destination_port": 1454, - "message_id": "302013" + "mapped_destination_port": 1454 } } }, @@ -4494,7 +4459,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4510,8 +4475,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431312435Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", + "ingested": "2021-06-09T10:11:13.439273400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4525,8 +4490,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -4574,7 +4538,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4590,8 +4554,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431313749Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "ingested": "2021-06-09T10:11:13.439276400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4610,8 +4574,7 @@ "mapped_source_ip": "100.66.128.3", "connection_id": "11781", "source_interface": "outside", - "mapped_destination_port": 1455, - "message_id": "302013" + "mapped_destination_port": 1455 } } }, @@ -4658,7 +4621,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4674,8 +4637,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431315064Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", + "ingested": "2021-06-09T10:11:13.439279Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4689,8 +4652,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -4738,7 +4700,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4754,8 +4716,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431316512Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "ingested": "2021-06-09T10:11:13.439282200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4774,8 +4736,7 @@ "mapped_source_ip": "100.66.128.3", "connection_id": "11782", "source_interface": "outside", - "mapped_destination_port": 1456, - "message_id": "302013" + "mapped_destination_port": 1456 } } }, @@ -4823,7 +4784,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4839,8 +4800,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431317857Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439284900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -4859,8 +4820,7 @@ "mapped_source_ip": "100.66.100.4", "connection_id": "11783", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -4908,7 +4868,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4925,8 +4885,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431319279Z", - "original": "%ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-06-09T10:11:13.439287400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4943,7 +4903,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11783", "source_interface": "outside" } @@ -4992,7 +4951,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5008,8 +4967,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431320730Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", + "ingested": "2021-06-09T10:11:13.439290Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5023,8 +4982,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -5072,7 +5030,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5088,8 +5046,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431322642Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "ingested": "2021-06-09T10:11:13.439292600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5108,8 +5066,7 @@ "mapped_source_ip": "100.66.198.40", "connection_id": "11784", "source_interface": "outside", - "mapped_destination_port": 1457, - "message_id": "302013" + "mapped_destination_port": 1457 } } }, @@ -5156,7 +5113,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5172,8 +5129,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431324374Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", + "ingested": "2021-06-09T10:11:13.439295200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5187,8 +5144,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -5236,7 +5192,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5252,8 +5208,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431326303Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "ingested": "2021-06-09T10:11:13.439297900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5272,8 +5228,7 @@ "mapped_source_ip": "100.66.198.40", "connection_id": "11785", "source_interface": "outside", - "mapped_destination_port": 1458, - "message_id": "302013" + "mapped_destination_port": 1458 } } }, @@ -5321,7 +5276,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5337,8 +5292,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431327870Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439300400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -5357,8 +5312,7 @@ "mapped_source_ip": "100.66.1.107", "connection_id": "11786", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -5406,7 +5360,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5423,8 +5377,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431335764Z", - "original": "%ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439302900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -5441,7 +5396,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11784", "source_interface": "outside" } @@ -5490,7 +5444,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5506,8 +5460,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431337641Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", + "ingested": "2021-06-09T10:11:13.439305400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5521,8 +5475,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -5570,7 +5523,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5586,8 +5539,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431339286Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "ingested": "2021-06-09T10:11:13.439307900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5606,8 +5559,7 @@ "mapped_source_ip": "100.66.198.40", "connection_id": "11787", "source_interface": "outside", - "mapped_destination_port": 1459, - "message_id": "302013" + "mapped_destination_port": 1459 } } }, @@ -5655,7 +5607,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5672,8 +5624,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431340788Z", - "original": "%ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", + "ingested": "2021-06-09T10:11:13.439310400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -5690,7 +5642,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11786", "source_interface": "outside" } @@ -5739,7 +5690,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5755,8 +5706,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431342167Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", + "ingested": "2021-06-09T10:11:13.439313Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5770,8 +5721,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -5819,7 +5769,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5835,8 +5785,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431343575Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "ingested": "2021-06-09T10:11:13.439315600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5855,8 +5805,7 @@ "mapped_source_ip": "100.66.192.44", "connection_id": "11788", "source_interface": "outside", - "mapped_destination_port": 1460, - "message_id": "302013" + "mapped_destination_port": 1460 } } }, @@ -5879,7 +5828,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5891,8 +5840,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431344947Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439335900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -5904,9 +5853,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -5952,7 +5899,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5968,8 +5915,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431346593Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", + "ingested": "2021-06-09T10:11:13.439341300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5983,8 +5930,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -6032,7 +5978,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6048,8 +5994,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431347957Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "ingested": "2021-06-09T10:11:13.439344700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -6068,8 +6014,7 @@ "mapped_source_ip": "100.66.19.254", "connection_id": "11797", "source_interface": "outside", - "mapped_destination_port": 1385, - "message_id": "302013" + "mapped_destination_port": 1385 } } }, @@ -6092,7 +6037,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6104,8 +6049,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431349346Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439347500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6117,9 +6062,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -6141,7 +6084,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6153,8 +6096,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431351437Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439350200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6166,9 +6109,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -6190,7 +6131,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6202,8 +6143,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431352879Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439352800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6215,9 +6156,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -6239,7 +6178,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6251,8 +6190,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431356887Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439355400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6264,9 +6203,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -6288,7 +6225,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6300,8 +6237,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431358749Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439357800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6313,9 +6250,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -6337,7 +6272,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6349,8 +6284,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431360216Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439360600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6362,9 +6297,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -6411,7 +6344,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6428,8 +6361,9 @@ "event": { "severity": 6, "duration": 325000000000, - "ingested": "2021-06-03T06:53:06.431361727Z", - "original": "%ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439364100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:29:31.000Z", @@ -6446,7 +6380,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11564", "source_interface": "outside" } @@ -6496,7 +6429,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6513,8 +6446,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431363080Z", - "original": "%ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439366800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -6531,7 +6465,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11797", "source_interface": "outside" } @@ -6580,7 +6513,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6596,8 +6529,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431364513Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", + "ingested": "2021-06-09T10:11:13.439369300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -6611,8 +6544,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -6660,7 +6592,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6676,8 +6608,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431365964Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "ingested": "2021-06-09T10:11:13.439371900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -6696,8 +6628,7 @@ "mapped_source_ip": "100.66.115.46", "connection_id": "11798", "source_interface": "outside", - "mapped_destination_port": 1386, - "message_id": "302013" + "mapped_destination_port": 1386 } } }, @@ -6744,7 +6675,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6760,8 +6691,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431367421Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439374300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6772,12 +6703,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -6826,7 +6756,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6842,8 +6772,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431368778Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439376800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6854,12 +6784,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -6908,7 +6837,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6924,8 +6853,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431370158Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439379400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6936,12 +6865,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -6990,7 +6918,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7006,8 +6934,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431371518Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439381800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7018,12 +6946,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7072,7 +6999,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7088,8 +7015,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431373137Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439384300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7100,12 +7027,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7154,7 +7080,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7170,8 +7096,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431374521Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439386800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7182,12 +7108,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7236,7 +7161,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7252,8 +7177,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431375991Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439389500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7264,12 +7189,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7318,7 +7242,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7334,8 +7258,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431377458Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439392Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7346,12 +7270,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7400,7 +7323,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7416,8 +7339,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431378836Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439394400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7428,12 +7351,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7482,7 +7404,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7498,8 +7420,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431380179Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439397Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7510,12 +7432,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7564,7 +7485,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7580,8 +7501,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431381808Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439399500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7592,12 +7513,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7646,7 +7566,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7662,8 +7582,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431383354Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439402Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7674,12 +7594,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7728,7 +7647,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7744,8 +7663,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431384724Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439404500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7756,12 +7675,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7810,7 +7728,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7826,8 +7744,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431386254Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", + "ingested": "2021-06-09T10:11:13.439407Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -7841,8 +7759,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -7890,7 +7807,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7906,8 +7823,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431387618Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "ingested": "2021-06-09T10:11:13.439409500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -7926,8 +7843,7 @@ "mapped_source_ip": "100.66.205.99", "connection_id": "11799", "source_interface": "outside", - "mapped_destination_port": 1275, - "message_id": "302013" + "mapped_destination_port": 1275 } } }, @@ -7974,7 +7890,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7990,8 +7906,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431389066Z", - "original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", + "ingested": "2021-06-09T10:11:13.439412Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8005,8 +7921,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -8054,7 +7969,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8070,8 +7985,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431390525Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439414500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -8090,8 +8005,7 @@ "mapped_source_ip": "100.66.14.30", "connection_id": "11800", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -8139,7 +8053,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8156,8 +8070,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431391957Z", - "original": "%ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", + "ingested": "2021-06-09T10:11:13.439417100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8174,7 +8088,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11800", "source_interface": "outside" } @@ -8224,7 +8137,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8240,8 +8153,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431393347Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439419500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -8260,8 +8173,7 @@ "mapped_source_ip": "100.66.252.210", "connection_id": "11801", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -8309,7 +8221,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8326,8 +8238,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431394683Z", - "original": "%ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", + "ingested": "2021-06-09T10:11:13.439422Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8344,7 +8256,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11801", "source_interface": "outside" } @@ -8393,7 +8304,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8409,8 +8320,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431396082Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280", + "ingested": "2021-06-09T10:11:13.439424500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8424,8 +8335,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -8473,7 +8383,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8489,8 +8399,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431397665Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", + "ingested": "2021-06-09T10:11:13.439427100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8509,8 +8419,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11802", "source_interface": "outside", - "mapped_destination_port": 1276, - "message_id": "302013" + "mapped_destination_port": 1276 } } }, @@ -8557,7 +8466,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8573,8 +8482,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431399066Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281", + "ingested": "2021-06-09T10:11:13.439430800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8588,8 +8497,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -8637,7 +8545,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8653,8 +8561,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431401034Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", + "ingested": "2021-06-09T10:11:13.439433500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8673,8 +8581,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11803", "source_interface": "outside", - "mapped_destination_port": 1277, - "message_id": "302013" + "mapped_destination_port": 1277 } } }, @@ -8722,7 +8629,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8739,8 +8646,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431402520Z", - "original": "%ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439436800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8757,7 +8665,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11802", "source_interface": "outside" } @@ -8806,7 +8713,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8822,8 +8729,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431403885Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282", + "ingested": "2021-06-09T10:11:13.439439900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8837,8 +8744,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -8886,7 +8792,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8902,8 +8808,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431405263Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", + "ingested": "2021-06-09T10:11:13.439442500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8922,8 +8828,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11804", "source_interface": "outside", - "mapped_destination_port": 1278, - "message_id": "302013" + "mapped_destination_port": 1278 } } }, @@ -8971,7 +8876,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8988,8 +8893,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431407937Z", - "original": "%ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439445200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9006,7 +8912,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11803", "source_interface": "outside" } @@ -9055,7 +8960,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9071,8 +8976,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431409568Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283", + "ingested": "2021-06-09T10:11:13.439447800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9086,8 +8991,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -9135,7 +9039,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9151,8 +9055,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431411170Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", + "ingested": "2021-06-09T10:11:13.439450300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9171,8 +9075,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11805", "source_interface": "outside", - "mapped_destination_port": 1279, - "message_id": "302013" + "mapped_destination_port": 1279 } } }, @@ -9220,7 +9123,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9237,8 +9140,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431413113Z", - "original": "%ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439452800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9255,7 +9159,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11804", "source_interface": "outside" } @@ -9305,7 +9208,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9322,8 +9225,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431414658Z", - "original": "%ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439455300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9340,7 +9244,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11805", "source_interface": "outside" } @@ -9389,7 +9292,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9405,8 +9308,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431416209Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284", + "ingested": "2021-06-09T10:11:13.439457700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9420,8 +9323,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -9469,7 +9371,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9485,8 +9387,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431417787Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", + "ingested": "2021-06-09T10:11:13.439460300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9505,8 +9407,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11806", "source_interface": "outside", - "mapped_destination_port": 1280, - "message_id": "302013" + "mapped_destination_port": 1280 } } }, @@ -9554,7 +9455,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9571,8 +9472,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431419137Z", - "original": "%ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439462800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9589,7 +9491,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11806", "source_interface": "outside" } @@ -9638,7 +9539,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9654,8 +9555,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431420501Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285", + "ingested": "2021-06-09T10:11:13.439465200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9669,8 +9570,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -9718,7 +9618,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9734,8 +9634,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431421858Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", + "ingested": "2021-06-09T10:11:13.439467700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9754,8 +9654,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11807", "source_interface": "outside", - "mapped_destination_port": 1281, - "message_id": "302013" + "mapped_destination_port": 1281 } } }, @@ -9802,7 +9701,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9818,8 +9717,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431423507Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286", + "ingested": "2021-06-09T10:11:13.439470200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9833,8 +9732,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -9882,7 +9780,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9898,8 +9796,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431425053Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", + "ingested": "2021-06-09T10:11:13.439472600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9918,8 +9816,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11808", "source_interface": "outside", - "mapped_destination_port": 1282, - "message_id": "302013" + "mapped_destination_port": 1282 } } }, @@ -9966,7 +9863,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9982,8 +9879,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431426420Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287", + "ingested": "2021-06-09T10:11:13.439475100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9997,8 +9894,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -10046,7 +9942,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10062,8 +9958,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431427777Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", + "ingested": "2021-06-09T10:11:13.439477500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10082,8 +9978,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11809", "source_interface": "outside", - "mapped_destination_port": 1283, - "message_id": "302013" + "mapped_destination_port": 1283 } } }, @@ -10130,7 +10025,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10146,8 +10041,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431429230Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288", + "ingested": "2021-06-09T10:11:13.439480Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10161,8 +10056,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -10210,7 +10104,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10226,8 +10120,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431430580Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", + "ingested": "2021-06-09T10:11:13.439482500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10246,8 +10140,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11810", "source_interface": "outside", - "mapped_destination_port": 1284, - "message_id": "302013" + "mapped_destination_port": 1284 } } }, @@ -10295,7 +10188,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10312,8 +10205,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431432472Z", - "original": "%ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439485Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10330,7 +10224,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11807", "source_interface": "outside" } @@ -10380,7 +10273,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10397,8 +10290,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431433949Z", - "original": "%ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439487500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10415,7 +10309,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11808", "source_interface": "outside" } @@ -10465,7 +10358,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10482,8 +10375,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431435406Z", - "original": "%ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439490Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10500,7 +10394,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11809", "source_interface": "outside" } @@ -10549,7 +10442,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10565,8 +10458,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431436769Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289", + "ingested": "2021-06-09T10:11:13.439492600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10580,8 +10473,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -10629,7 +10521,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10645,8 +10537,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431438167Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", + "ingested": "2021-06-09T10:11:13.439495Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10665,8 +10557,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11811", "source_interface": "outside", - "mapped_destination_port": 1285, - "message_id": "302013" + "mapped_destination_port": 1285 } } }, @@ -10713,7 +10604,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10729,8 +10620,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431439517Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290", + "ingested": "2021-06-09T10:11:13.439497500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10744,8 +10635,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -10793,7 +10683,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10809,8 +10699,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431441001Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", + "ingested": "2021-06-09T10:11:13.439500100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10829,8 +10719,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11812", "source_interface": "outside", - "mapped_destination_port": 1286, - "message_id": "302013" + "mapped_destination_port": 1286 } } }, @@ -10878,7 +10767,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10895,8 +10784,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431442414Z", - "original": "%ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439502600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10913,7 +10803,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11810", "source_interface": "outside" } @@ -10962,7 +10851,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10978,8 +10867,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431443836Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291", + "ingested": "2021-06-09T10:11:13.439505Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10993,8 +10882,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -11042,7 +10930,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11058,8 +10946,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431445246Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", + "ingested": "2021-06-09T10:11:13.439507500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -11078,8 +10966,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11813", "source_interface": "outside", - "mapped_destination_port": 1287, - "message_id": "302013" + "mapped_destination_port": 1287 } } }, @@ -11127,7 +11014,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11144,8 +11031,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431446673Z", - "original": "%ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439510Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11162,7 +11050,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11811", "source_interface": "outside" } @@ -11212,7 +11099,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11229,8 +11116,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431448159Z", - "original": "%ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439512600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11247,7 +11135,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11812", "source_interface": "outside" } @@ -11297,7 +11184,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11313,8 +11200,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431449989Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439515200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -11333,8 +11220,7 @@ "mapped_source_ip": "100.66.100.107", "connection_id": "11814", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -11381,7 +11267,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11397,8 +11283,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431451822Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292", + "ingested": "2021-06-09T10:11:13.439517600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -11412,8 +11298,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -11461,7 +11346,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11477,8 +11362,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431453871Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", + "ingested": "2021-06-09T10:11:13.439520100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -11497,8 +11382,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11815", "source_interface": "outside", - "mapped_destination_port": 1288, - "message_id": "302013" + "mapped_destination_port": 1288 } } }, @@ -11546,7 +11430,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11563,8 +11447,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431455406Z", - "original": "%ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", + "ingested": "2021-06-09T10:11:13.439522600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11581,7 +11465,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11814", "source_interface": "outside" } @@ -11631,7 +11514,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11647,8 +11530,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431456846Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439525200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -11667,8 +11550,7 @@ "mapped_source_ip": "100.66.104.8", "connection_id": "11816", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -11716,7 +11598,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11733,8 +11615,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431458578Z", - "original": "%ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", + "ingested": "2021-06-09T10:11:13.439527700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11751,7 +11633,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11816", "source_interface": "outside" } @@ -11800,7 +11681,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11816,8 +11697,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431460168Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293", + "ingested": "2021-06-09T10:11:13.439530100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -11831,8 +11712,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -11880,7 +11760,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11896,8 +11776,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431461711Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", + "ingested": "2021-06-09T10:11:13.439532600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -11916,8 +11796,7 @@ "mapped_source_ip": "100.66.123.191", "connection_id": "11817", "source_interface": "outside", - "mapped_destination_port": 1289, - "message_id": "302013" + "mapped_destination_port": 1289 } } }, @@ -11965,7 +11844,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11982,8 +11861,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431463095Z", - "original": "%ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439535200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12000,7 +11880,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11815", "source_interface": "outside" } @@ -12050,7 +11929,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12067,8 +11946,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431465784Z", - "original": "%ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439537700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12085,7 +11965,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11813", "source_interface": "outside" } @@ -12135,7 +12014,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12151,8 +12030,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431467509Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439540200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12171,8 +12050,7 @@ "mapped_source_ip": "100.66.100.4", "connection_id": "11818", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -12220,7 +12098,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12237,8 +12115,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431469185Z", - "original": "%ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-06-09T10:11:13.439542700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12255,7 +12133,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11818", "source_interface": "outside" } @@ -12304,7 +12181,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12320,8 +12197,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431470641Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294", + "ingested": "2021-06-09T10:11:13.439545200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -12335,8 +12212,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -12384,7 +12260,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12400,8 +12276,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431472117Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", + "ingested": "2021-06-09T10:11:13.439548200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -12420,8 +12296,7 @@ "mapped_source_ip": "100.66.198.25", "connection_id": "11819", "source_interface": "outside", - "mapped_destination_port": 1290, - "message_id": "302013" + "mapped_destination_port": 1290 } } }, @@ -12469,7 +12344,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12486,8 +12361,8 @@ "event": { "severity": 6, "duration": 3526000000000, - "ingested": "2021-06-03T06:53:06.431473464Z", - "original": "%ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", + "ingested": "2021-06-09T10:11:13.439551Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", "code": "302016", "kind": "event", "start": "2018-10-10T11:36:10.000Z", @@ -12504,7 +12379,6 @@ "cisco": { "asa": { "destination_interface": "NP Identity Ifc", - "message_id": "302016", "connection_id": "9828", "source_interface": "outside" } @@ -12529,7 +12403,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12541,8 +12415,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431474859Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439553700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -12554,9 +12428,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -12603,7 +12475,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12619,8 +12491,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431476363Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439556500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12639,8 +12511,7 @@ "mapped_source_ip": "100.66.3.39", "connection_id": "11820", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -12688,7 +12559,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12704,8 +12575,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431477739Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439559100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12724,8 +12595,7 @@ "mapped_source_ip": "100.66.162.30", "connection_id": "11821", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -12773,7 +12643,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12790,8 +12660,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431479081Z", - "original": "%ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", + "ingested": "2021-06-09T10:11:13.439561600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12808,7 +12678,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11820", "source_interface": "outside" } @@ -12858,7 +12727,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12874,8 +12743,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431480479Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439564400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12894,8 +12763,7 @@ "mapped_source_ip": "100.66.3.39", "connection_id": "11822", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -12943,7 +12811,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12960,8 +12828,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431481824Z", - "original": "%ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", + "ingested": "2021-06-09T10:11:13.439567Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12978,7 +12846,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11821", "source_interface": "outside" } @@ -13028,7 +12895,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13045,8 +12912,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431483298Z", - "original": "%ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "ingested": "2021-06-09T10:11:13.439570300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -13063,7 +12930,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11822", "source_interface": "outside" } @@ -13113,7 +12979,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13129,8 +12995,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431484661Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439573100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -13149,8 +13015,7 @@ "mapped_source_ip": "100.66.48.186", "connection_id": "11823", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -13198,7 +13063,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13215,8 +13080,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431486033Z", - "original": "%ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", + "ingested": "2021-06-09T10:11:13.439575700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -13233,7 +13098,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11823", "source_interface": "outside" } @@ -13282,7 +13146,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13298,8 +13162,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431487385Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295", + "ingested": "2021-06-09T10:11:13.439578400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13313,8 +13177,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -13362,7 +13225,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13378,8 +13241,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431488748Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", + "ingested": "2021-06-09T10:11:13.439581300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13398,8 +13261,7 @@ "mapped_source_ip": "100.66.54.190", "connection_id": "11824", "source_interface": "outside", - "mapped_destination_port": 1291, - "message_id": "302013" + "mapped_destination_port": 1291 } } }, @@ -13447,7 +13309,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13463,8 +13325,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431490584Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439584100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -13483,8 +13345,7 @@ "mapped_source_ip": "100.66.254.94", "connection_id": "11825", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -13532,7 +13393,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13549,8 +13410,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431492184Z", - "original": "%ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", + "ingested": "2021-06-09T10:11:13.439587Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -13567,7 +13428,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11825", "source_interface": "outside" } @@ -13616,7 +13476,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13632,8 +13492,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431493866Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296", + "ingested": "2021-06-09T10:11:13.439589600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13647,8 +13507,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -13696,7 +13555,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13712,8 +13571,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431495239Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", + "ingested": "2021-06-09T10:11:13.439598300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13732,8 +13591,7 @@ "mapped_source_ip": "100.66.54.190", "connection_id": "11826", "source_interface": "outside", - "mapped_destination_port": 1292, - "message_id": "302013" + "mapped_destination_port": 1292 } } }, @@ -13780,7 +13638,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13796,8 +13654,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431496582Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297", + "ingested": "2021-06-09T10:11:13.439601100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13811,8 +13669,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -13860,7 +13717,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13876,8 +13733,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431498122Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", + "ingested": "2021-06-09T10:11:13.439603800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13896,8 +13753,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11827", "source_interface": "outside", - "mapped_destination_port": 1293, - "message_id": "302013" + "mapped_destination_port": 1293 } } }, @@ -13944,7 +13800,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13960,8 +13816,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431499561Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298", + "ingested": "2021-06-09T10:11:13.439606400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13975,8 +13831,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -14024,7 +13879,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14040,8 +13895,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431500950Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", + "ingested": "2021-06-09T10:11:13.439608900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14060,8 +13915,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11828", "source_interface": "outside", - "mapped_destination_port": 1294, - "message_id": "302013" + "mapped_destination_port": 1294 } } }, @@ -14109,7 +13963,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14126,8 +13980,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431502398Z", - "original": "%ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439611400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14144,7 +13999,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11827", "source_interface": "outside" } @@ -14193,7 +14047,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14209,8 +14063,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431503763Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299", + "ingested": "2021-06-09T10:11:13.439614Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14224,8 +14078,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -14273,7 +14126,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14289,8 +14142,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431505108Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", + "ingested": "2021-06-09T10:11:13.439616500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14309,8 +14162,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11829", "source_interface": "outside", - "mapped_destination_port": 1295, - "message_id": "302013" + "mapped_destination_port": 1295 } } }, @@ -14357,7 +14209,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14373,8 +14225,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431506640Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300", + "ingested": "2021-06-09T10:11:13.439619Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14388,8 +14240,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -14437,7 +14288,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14453,8 +14304,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431508106Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", + "ingested": "2021-06-09T10:11:13.439621500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14473,8 +14324,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11830", "source_interface": "outside", - "mapped_destination_port": 1296, - "message_id": "302013" + "mapped_destination_port": 1296 } } }, @@ -14522,7 +14372,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14539,8 +14389,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431509643Z", - "original": "%ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439624100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14557,7 +14408,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11828", "source_interface": "outside" } @@ -14607,7 +14457,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14624,8 +14474,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431513505Z", - "original": "%ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439626800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14642,7 +14493,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11829", "source_interface": "outside" } @@ -14692,7 +14542,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14709,8 +14559,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431514986Z", - "original": "%ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439629300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14727,7 +14578,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11830", "source_interface": "outside" } @@ -14776,7 +14626,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14792,8 +14642,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431516284Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301", + "ingested": "2021-06-09T10:11:13.439631900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14807,8 +14657,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -14856,7 +14705,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14872,8 +14721,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431517661Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", + "ingested": "2021-06-09T10:11:13.439634500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14892,8 +14741,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11831", "source_interface": "outside", - "mapped_destination_port": 1297, - "message_id": "302013" + "mapped_destination_port": 1297 } } }, @@ -14940,7 +14788,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14956,8 +14804,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431519201Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302", + "ingested": "2021-06-09T10:11:13.439637Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14971,8 +14819,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -15020,7 +14867,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15036,8 +14883,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431521404Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", + "ingested": "2021-06-09T10:11:13.439639400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15056,8 +14903,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11832", "source_interface": "outside", - "mapped_destination_port": 1298, - "message_id": "302013" + "mapped_destination_port": 1298 } } }, @@ -15105,7 +14951,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15121,8 +14967,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431524206Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439642Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -15141,8 +14987,7 @@ "mapped_source_ip": "100.66.179.9", "connection_id": "11833", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -15190,7 +15035,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15207,8 +15052,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431525854Z", - "original": "%ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "ingested": "2021-06-09T10:11:13.439644500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15225,7 +15070,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11833", "source_interface": "outside" } @@ -15275,7 +15119,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15292,8 +15136,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431527497Z", - "original": "%ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439647Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15310,7 +15155,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11831", "source_interface": "outside" } @@ -15359,7 +15203,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15375,8 +15219,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431528818Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303", + "ingested": "2021-06-09T10:11:13.439649500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15390,8 +15234,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -15439,7 +15282,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15455,8 +15298,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431530135Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", + "ingested": "2021-06-09T10:11:13.439652Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15475,8 +15318,7 @@ "mapped_source_ip": "100.66.247.99", "connection_id": "11834", "source_interface": "outside", - "mapped_destination_port": 1299, - "message_id": "302013" + "mapped_destination_port": 1299 } } }, @@ -15523,7 +15365,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15539,8 +15381,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431531538Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304", + "ingested": "2021-06-09T10:11:13.439654500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15554,8 +15396,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -15603,7 +15444,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15619,8 +15460,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431532845Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", + "ingested": "2021-06-09T10:11:13.439657Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15639,8 +15480,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11835", "source_interface": "outside", - "mapped_destination_port": 1300, - "message_id": "302013" + "mapped_destination_port": 1300 } } }, @@ -15688,7 +15528,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15705,8 +15545,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431534335Z", - "original": "%ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439660300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15723,7 +15564,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11832", "source_interface": "outside" } @@ -15773,7 +15613,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15790,8 +15630,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431535820Z", - "original": "%ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:13.439662900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15808,7 +15649,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11835", "source_interface": "outside" } @@ -15857,7 +15697,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15873,8 +15713,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431537219Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305", + "ingested": "2021-06-09T10:11:13.439665900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15888,8 +15728,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -15937,7 +15776,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15953,8 +15792,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431538667Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", + "ingested": "2021-06-09T10:11:13.439668400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15973,8 +15812,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11836", "source_interface": "outside", - "mapped_destination_port": 1301, - "message_id": "302013" + "mapped_destination_port": 1301 } } }, @@ -16021,7 +15859,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16037,8 +15875,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431540356Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306", + "ingested": "2021-06-09T10:11:13.439670900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -16052,8 +15890,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -16101,7 +15938,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16117,8 +15954,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431541669Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", + "ingested": "2021-06-09T10:11:13.439673600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -16137,8 +15974,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11837", "source_interface": "outside", - "mapped_destination_port": 1302, - "message_id": "302013" + "mapped_destination_port": 1302 } } }, @@ -16161,7 +15997,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16173,8 +16009,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431543265Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439676100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16186,9 +16022,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16210,7 +16044,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16222,8 +16056,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431544721Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439679300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16235,9 +16069,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16259,7 +16091,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16271,8 +16103,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431546391Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439681900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16284,9 +16116,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16308,7 +16138,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16320,8 +16150,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431547856Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439684500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16333,9 +16163,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16357,7 +16185,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16369,8 +16197,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431549558Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439687Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16382,9 +16210,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16406,7 +16232,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16418,8 +16244,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431550874Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439689500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16431,9 +16257,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16455,7 +16279,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16467,8 +16291,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431552553Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439692Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16480,9 +16304,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16504,7 +16326,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16516,8 +16338,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431553978Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439694500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16529,9 +16351,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16553,7 +16373,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16565,8 +16385,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431555605Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439697100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16578,9 +16398,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16602,7 +16420,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16614,8 +16432,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431557106Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439701900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16627,9 +16445,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16651,7 +16467,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16663,8 +16479,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431558446Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439705600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16676,9 +16492,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16700,7 +16514,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16712,8 +16526,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431559748Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439708500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16725,9 +16539,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16749,7 +16561,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16761,8 +16573,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431561285Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439711Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16774,9 +16586,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16798,7 +16608,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16810,8 +16620,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431562695Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439713500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16823,9 +16633,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16847,7 +16655,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16859,8 +16667,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431564029Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439716Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16872,9 +16680,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -16920,7 +16726,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16936,8 +16742,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431632296Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308", + "ingested": "2021-06-09T10:11:13.439718600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -16951,8 +16757,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -17000,7 +16805,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17016,8 +16821,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431635152Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", + "ingested": "2021-06-09T10:11:13.439721100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -17036,8 +16841,7 @@ "mapped_source_ip": "100.66.205.99", "connection_id": "11840", "source_interface": "outside", - "mapped_destination_port": 1304, - "message_id": "302013" + "mapped_destination_port": 1304 } } }, @@ -17060,7 +16864,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17072,8 +16876,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431636870Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439723700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17085,9 +16889,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -17109,7 +16911,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17121,8 +16923,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431638854Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439726400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17134,9 +16936,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -17183,7 +16983,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17199,8 +16999,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431640314Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439728900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -17219,8 +17019,7 @@ "mapped_source_ip": "100.66.0.124", "connection_id": "11841", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -17268,7 +17067,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17284,8 +17083,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431641650Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:13.439731600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -17304,8 +17103,7 @@ "mapped_source_ip": "100.66.160.2", "connection_id": "11842", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -17353,7 +17151,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17370,8 +17168,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431643083Z", - "original": "%ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", + "ingested": "2021-06-09T10:11:13.439734100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -17388,7 +17186,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11841", "source_interface": "outside" } @@ -17438,7 +17235,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17455,8 +17252,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:06.431646431Z", - "original": "%ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-06-09T10:11:13.439736700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -17473,7 +17270,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11842", "source_interface": "outside" } @@ -17522,7 +17318,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17538,8 +17334,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431648485Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309", + "ingested": "2021-06-09T10:11:13.439739300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -17553,8 +17349,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -17602,7 +17397,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17618,8 +17413,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431650031Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", + "ingested": "2021-06-09T10:11:13.439741900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -17638,8 +17433,7 @@ "mapped_source_ip": "100.66.124.24", "connection_id": "11843", "source_interface": "outside", - "mapped_destination_port": 1305, - "message_id": "302013" + "mapped_destination_port": 1305 } } }, @@ -17662,7 +17456,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17674,8 +17468,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431651730Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439745200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17687,9 +17481,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -17711,7 +17503,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17723,8 +17515,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431653233Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439747700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17736,9 +17528,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -17760,7 +17550,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17772,8 +17562,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431654843Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439750400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17785,9 +17575,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -17809,7 +17597,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17821,8 +17609,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431656234Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439753100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17834,9 +17622,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -17858,7 +17644,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17870,8 +17656,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431657841Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439755700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17883,9 +17669,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -17907,7 +17691,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17919,8 +17703,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431659361Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439758200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17932,9 +17716,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -17956,7 +17738,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17968,8 +17750,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431660725Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30", + "ingested": "2021-06-09T10:11:13.439760800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17981,9 +17763,7 @@ ] }, "cisco": { - "asa": { - "message_id": "305012" - } + "asa": {} } }, { @@ -18030,7 +17810,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18047,8 +17827,9 @@ "event": { "severity": 6, "duration": 4000000000, - "ingested": "2021-06-03T06:53:06.431662140Z", - "original": "%ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:13.439763400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:52.000Z", @@ -18065,7 +17846,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11843", "source_interface": "outside" } @@ -18114,7 +17894,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18130,8 +17910,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431663540Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439766100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18142,12 +17922,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18196,7 +17975,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18212,8 +17991,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431665217Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439768700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18224,12 +18003,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18278,7 +18056,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18294,8 +18072,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431666647Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439771100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18306,12 +18084,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18360,7 +18137,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18376,8 +18153,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431668062Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310", + "ingested": "2021-06-09T10:11:13.439774100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -18391,8 +18168,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -18440,7 +18216,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18456,8 +18232,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:06.431669449Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", + "ingested": "2021-06-09T10:11:13.439776700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -18476,8 +18252,7 @@ "mapped_source_ip": "100.66.124.24", "connection_id": "11844", "source_interface": "outside", - "mapped_destination_port": 1306, - "message_id": "302013" + "mapped_destination_port": 1306 } } }, @@ -18524,7 +18299,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18540,8 +18315,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431671086Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439779200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18552,12 +18327,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18606,7 +18380,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18622,8 +18396,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431672531Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439782900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18634,12 +18408,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18688,7 +18461,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18704,8 +18477,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431704979Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439785500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18716,12 +18489,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18770,7 +18542,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18786,8 +18558,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431707174Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439788100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18798,12 +18570,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18852,7 +18623,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18868,8 +18639,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431709048Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439790600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18880,12 +18651,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18934,7 +18704,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18950,8 +18720,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431710759Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439793100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18962,12 +18732,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19016,7 +18785,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19032,8 +18801,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431712176Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439795700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19044,12 +18813,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19098,7 +18866,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19114,8 +18882,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431713696Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439798200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19126,12 +18894,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19180,7 +18947,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19196,8 +18963,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431715222Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439800700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19208,12 +18975,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19262,7 +19028,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19278,8 +19044,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431716593Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439803300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19290,12 +19056,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19344,7 +19109,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19360,8 +19125,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431718891Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439806Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19372,12 +19137,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19426,7 +19190,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19442,8 +19206,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431720469Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439808600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19454,12 +19218,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19508,7 +19271,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19524,8 +19287,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431722322Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439811100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19536,12 +19299,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19590,7 +19352,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19606,8 +19368,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431723701Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439814100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19618,12 +19380,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19672,7 +19433,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19688,8 +19449,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431725106Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439816700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19700,12 +19461,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19754,7 +19514,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19770,8 +19530,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431726519Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439819200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19782,12 +19542,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19836,7 +19595,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19852,8 +19611,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431727908Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439821700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19864,12 +19623,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19918,7 +19676,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19934,8 +19692,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431729417Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439824200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19946,12 +19704,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20000,7 +19757,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20016,8 +19773,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431730924Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439826700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20028,12 +19785,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20082,7 +19838,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20098,8 +19854,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431733725Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439829200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20110,12 +19866,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20164,7 +19919,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20180,8 +19935,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431735326Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439831700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20192,12 +19947,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20246,7 +20000,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20262,8 +20016,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431736689Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439834300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20274,12 +20028,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20328,7 +20081,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20344,8 +20097,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431738015Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439836800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20356,12 +20109,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20410,7 +20162,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20426,8 +20178,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431739701Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439839200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20438,12 +20190,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20492,7 +20243,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20508,8 +20259,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431741056Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439841800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20520,12 +20271,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20574,7 +20324,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20590,8 +20340,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431742399Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439844400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20602,12 +20352,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20656,7 +20405,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20672,8 +20421,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431743725Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439846800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20684,12 +20433,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20738,7 +20486,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20754,8 +20502,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431745057Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439849300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20766,12 +20514,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20820,7 +20567,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20836,8 +20583,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431746471Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439851800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20848,12 +20595,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20902,7 +20648,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20918,8 +20664,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431747854Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439854400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20930,12 +20676,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20984,7 +20729,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -21000,8 +20745,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431749289Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439856900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -21012,12 +20757,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -21066,7 +20810,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -21082,8 +20826,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431750641Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439859300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -21094,12 +20838,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -21148,7 +20891,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -21164,8 +20907,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:06.431751978Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:13.439861800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -21176,12 +20919,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json index c4f75f6e265..68e513ce50b 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json @@ -30,7 +30,7 @@ }, "@timestamp": "2020-02-20T16:11:11.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -39,8 +39,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:17.841860845Z", - "original": "%ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", + "ingested": "2021-06-09T10:11:21.033561300Z", + "original": "Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", "code": "734001", "kind": "event", "action": "firewall-rule", @@ -57,7 +57,6 @@ "cisco": { "asa": { "connection_type": "AnyConnect", - "message_id": "734001", "dap_records": [ "dap_1", "dap_2" diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json index d97d72dd7ba..5df7839ce49 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json @@ -19,7 +19,7 @@ }, "@timestamp": "2021-01-01T01:00:27.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -31,8 +31,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:17.883071783Z", - "original": "%ASA-7-999999: This message is not filtered.", + "ingested": "2021-06-09T10:11:21.061971Z", + "original": "Jan 1 01:00:27 beats asa[1234]: %ASA-7-999999: This message is not filtered.", "code": "999999", "kind": "event", "action": "firewall-rule", @@ -44,9 +44,7 @@ ] }, "cisco": { - "asa": { - "message_id": "999999" - } + "asa": {} } }, { @@ -62,7 +60,7 @@ }, "@timestamp": "2021-01-01T01:00:30.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -74,8 +72,8 @@ }, "event": { "severity": 8, - "ingested": "2021-06-03T06:53:17.883078107Z", - "original": "%ASA-8-999999: This phony message is dropped due to log level.", + "ingested": "2021-06-09T10:11:21.061976900Z", + "original": "Jan 1 01:00:30 beats asa[1234]: %ASA-8-999999: This phony message is dropped due to log level.", "code": "999999", "kind": "event", "action": "firewall-rule", @@ -87,9 +85,7 @@ ] }, "cisco": { - "asa": { - "message_id": "999999" - } + "asa": {} }, "tags": [ "preserve_original_event" @@ -134,7 +130,7 @@ }, "@timestamp": "2021-01-01T01:02:12.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -150,8 +146,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:17.883079554Z", - "original": "%ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", + "ingested": "2021-06-09T10:11:21.061978800Z", + "original": "Jan 1 01:02:12 beats asa[1234]: %ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", "code": "106001", "kind": "event", "action": "firewall-rule", @@ -162,12 +158,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "eth0", - "message_id": "106001" + "source_interface": "eth0" } } } diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json index 747949f54d5..88b45f30094 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json @@ -28,13 +28,16 @@ }, "@timestamp": "2019-10-10T10:21:36.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ "localhost", "target.destination.hostname.local", "Prod-host.name.addr" + ], + "ip": [ + "10.0.55.66" ] }, "host": { @@ -42,8 +45,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:17.973899722Z", - "original": "%ASA-6-302021: Teardown ICMP connection for faddr target.destination.hostname.local/10005 gaddr 10.0.55.66/0 laddr Prod-host.name.addr/0", + "ingested": "2021-06-09T10:11:21.129156900Z", + "original": "Oct 10 2019 10:21:36 localhost: %ASA-6-302021: Teardown ICMP connection for faddr target.destination.hostname.local/10005 gaddr 10.0.55.66/0 laddr Prod-host.name.addr/0", "code": "302021", "kind": "event", "action": "flow-expiration", @@ -57,8 +60,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "10.0.55.66", - "message_id": "302021" + "mapped_source_ip": "10.0.55.66" } } }, @@ -89,7 +91,7 @@ }, "@timestamp": "2011-06-04T21:59:52.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -105,8 +107,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:17.973906007Z", - "original": "%ASA-6-302021: Teardown ICMP connection for faddr 192.0.2.15/0 gaddr 192.0.2.134/57808 laddr 192.0.2.134/57808 type 8 code 0", + "ingested": "2021-06-09T10:11:21.129164700Z", + "original": "Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.0.2.15/0 gaddr 192.0.2.134/57808 laddr 192.0.2.134/57808 type 8 code 0", "code": "302021", "kind": "event", "action": "flow-expiration", @@ -121,8 +123,8 @@ "cisco": { "asa": { "mapped_source_ip": "192.0.2.134", - "source_username": "type", - "message_id": "302021" + "icmp_type": 8, + "icmp_code": 0 } } } diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json index 233f80f623a..2e9ae443350 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json @@ -2,18 +2,18 @@ "expected": [ { "log": { - "level": "notification", - "syslog": { - "facility": { - "code": 165 - } - } + "level": "notification" }, "destination": { "port": 53, "address": "203.0.113.42", "ip": "203.0.113.42" }, + "syslog": { + "facility": { + "code": 165 + } + }, "source": { "port": 27218, "address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", @@ -43,7 +43,7 @@ }, "@timestamp": "2019-10-04T15:27:55.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -55,8 +55,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.043769675Z", - "original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -\u003e OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "ingested": "2021-06-09T10:11:21.190319800Z", + "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -\u003e OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -67,12 +67,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "OUTSIDE", - "message_id": "106100", "rule_name": "AL-DMZ-LB-IN", "source_interface": "LB-DMZ" } @@ -105,7 +104,7 @@ }, "@timestamp": "2020-01-01T10:42:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -121,8 +120,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.043776014Z", - "original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", + "ingested": "2021-06-09T10:11:21.190328900Z", + "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", "action": "flow-expiration", @@ -136,8 +135,7 @@ }, "cisco": { "asa": { - "mapped_source_host": "mydomain.example.net", - "message_id": "302021" + "mapped_source_host": "mydomain.example.net" } } }, @@ -187,7 +185,7 @@ }, "@timestamp": "2020-01-02T11:33:20.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -204,8 +202,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:18.043777511Z", - "original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", + "ingested": "2021-06-09T10:11:21.190331Z", + "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", "code": "338204", "kind": "event", "action": "firewall-rule", @@ -216,7 +214,7 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { @@ -228,7 +226,6 @@ "rule_name": "dynamic", "source_interface": "eth0", "mapped_destination_port": 80, - "message_id": "338204", "threat_category": "malware" } } diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log index cc9d8449f62..73ea89341b0 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log @@ -4,7 +4,7 @@ Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tc Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0] Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0] Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834 -Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834) +Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834) Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882 Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882) Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392 @@ -69,3 +69,4 @@ Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traf Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside +Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username) diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json index 3504769e0f3..02742967ccf 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json @@ -38,7 +38,7 @@ }, "@timestamp": "2013-04-15T09:36:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -48,8 +48,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:18.181444336Z", - "original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "ingested": "2021-06-09T10:11:21.284623600Z", + "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -60,12 +60,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106023", "rule_name": "acl_dmz", "source_interface": "dmz" } @@ -109,7 +108,7 @@ }, "@timestamp": "2013-04-15T09:36:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -119,8 +118,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:18.181451436Z", - "original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "ingested": "2021-06-09T10:11:21.284630Z", + "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -131,12 +130,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106023", "rule_name": "acl_dmz", "source_interface": "dmz" } @@ -180,7 +178,7 @@ }, "@timestamp": "2014-04-15T13:34:34.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -190,8 +188,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181452896Z", - "original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284658100Z", + "original": "Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -202,12 +200,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "suffix": "session", "rule_name": "acl_in", "source_interface": "inside" @@ -253,7 +250,7 @@ }, "@timestamp": "2013-04-24T16:00:28.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -269,8 +266,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181454234Z", - "original": "%ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "ingested": "2021-06-09T10:11:21.284660800Z", + "original": "Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -281,12 +278,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "inside", "source_interface": "inside" } @@ -331,7 +327,7 @@ }, "@timestamp": "2013-04-24T16:00:27.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -347,8 +343,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181456398Z", - "original": "%ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "ingested": "2021-06-09T10:11:21.284662800Z", + "original": "Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -359,12 +355,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "inside", "source_interface": "inside" } @@ -408,7 +403,7 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -418,8 +413,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181457810Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", + "ingested": "2021-06-09T10:11:21.284664600Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -433,8 +428,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "outside", - "message_id": "305011" + "source_interface": "outside" } } }, @@ -480,7 +474,7 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -490,8 +484,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181459158Z", - "original": "%ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834)", + "ingested": "2021-06-09T10:11:21.284666200Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -510,8 +504,7 @@ "mapped_source_ip": "192.0.2.43", "connection_id": "89743274", "source_interface": "outside", - "mapped_destination_port": 12834, - "message_id": "302013" + "mapped_destination_port": 12834 } } }, @@ -553,7 +546,7 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -563,8 +556,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181460449Z", - "original": "%ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", + "ingested": "2021-06-09T10:11:21.284667800Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -578,8 +571,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "outside", - "message_id": "305011" + "source_interface": "outside" } } }, @@ -628,18 +620,19 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ "192.0.2.222", + "192.0.2.43", "10.123.1.35" ] }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181461766Z", - "original": "%ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", + "ingested": "2021-06-09T10:11:21.284678100Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -658,8 +651,7 @@ "mapped_source_ip": "192.0.2.43", "connection_id": "89743275", "source_interface": "outside", - "mapped_destination_port": 25882, - "message_id": "302015" + "mapped_destination_port": 25882 } } }, @@ -701,7 +693,7 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -711,8 +703,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181463032Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", + "ingested": "2021-06-09T10:11:21.284681500Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -726,8 +718,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "outside", - "message_id": "305011" + "source_interface": "outside" } } }, @@ -774,18 +765,19 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ "192.0.2.1", - "10.123.3.42" + "10.123.3.42", + "10.123.3.130" ] }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181464385Z", - "original": "%ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", + "ingested": "2021-06-09T10:11:21.284696500Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -804,8 +796,7 @@ "mapped_source_ip": "192.0.2.1", "connection_id": "89743276", "source_interface": "outside", - "mapped_destination_port": 45392, - "message_id": "302013" + "mapped_destination_port": 45392 } } }, @@ -848,7 +839,7 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -859,8 +850,8 @@ "event": { "severity": 6, "duration": 5025000000000, - "ingested": "2021-06-03T06:53:18.181465855Z", - "original": "%ASA-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", + "ingested": "2021-06-09T10:11:21.284698600Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "code": "302016", "kind": "event", "start": "2013-04-29T11:36:05.000Z", @@ -877,7 +868,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "89743275", "source_interface": "outside" } @@ -922,7 +912,7 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -933,8 +923,8 @@ "event": { "severity": 6, "duration": 36000000000000, - "ingested": "2021-06-03T06:53:18.181467160Z", - "original": "%ASA-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", + "ingested": "2021-06-09T10:11:21.284700200Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "code": "302016", "kind": "event", "start": "2013-04-29T02:59:50.000Z", @@ -952,7 +942,6 @@ "asa": { "source_username": "user1", "destination_interface": "inside", - "message_id": "302016", "connection_id": "666", "source_interface": "outside", "destination_username": "user2" @@ -986,7 +975,7 @@ }, "@timestamp": "2011-06-04T21:59:52.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1002,8 +991,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181468437Z", - "original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", + "ingested": "2021-06-09T10:11:21.284701800Z", + "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", "action": "flow-expiration", @@ -1017,8 +1006,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "192.168.132.46", - "message_id": "302021" + "mapped_source_ip": "192.168.132.46" } } }, @@ -1060,7 +1048,7 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1070,8 +1058,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181469756Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", + "ingested": "2021-06-09T10:11:21.284703300Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -1085,8 +1073,7 @@ "cisco": { "asa": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -1133,18 +1120,19 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ "192.0.0.17", - "192.168.3.42" + "192.168.3.42", + "10.0.0.130" ] }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181471057Z", - "original": "%ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", + "ingested": "2021-06-09T10:11:21.284704800Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -1163,8 +1151,7 @@ "mapped_source_ip": "192.0.0.17", "connection_id": "89743277", "source_interface": "outside", - "mapped_destination_port": 10879, - "message_id": "302013" + "mapped_destination_port": 10879 } } }, @@ -1198,7 +1185,7 @@ }, "@timestamp": "2013-04-30T09:22:33.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1208,8 +1195,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:18.181472448Z", - "original": "%ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", + "ingested": "2021-06-09T10:11:21.284706500Z", + "original": "Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", "code": "106007", "kind": "event", "action": "firewall-rule", @@ -1220,12 +1207,10 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { - "asa": { - "message_id": "106007" - } + "asa": {} } }, { @@ -1266,7 +1251,7 @@ }, "@timestamp": "2013-04-30T09:22:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1276,8 +1261,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181473751Z", - "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284708Z", + "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1288,12 +1273,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1337,7 +1321,7 @@ }, "@timestamp": "2013-04-30T09:22:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1347,8 +1331,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181475024Z", - "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284709500Z", + "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1359,12 +1343,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1408,7 +1391,7 @@ }, "@timestamp": "2013-04-30T09:22:39.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1418,8 +1401,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181476312Z", - "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284710900Z", + "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1430,12 +1413,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1479,7 +1461,7 @@ }, "@timestamp": "2013-04-30T09:22:39.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1489,8 +1471,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181477615Z", - "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284712500Z", + "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1501,12 +1483,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1550,7 +1531,7 @@ }, "@timestamp": "2013-04-30T09:22:39.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1560,8 +1541,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181478898Z", - "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284714100Z", + "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1572,12 +1553,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1621,7 +1601,7 @@ }, "@timestamp": "2013-04-30T09:22:40.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1631,8 +1611,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181480174Z", - "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284715600Z", + "original": "Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1643,12 +1623,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1692,7 +1671,7 @@ }, "@timestamp": "2013-04-30T09:22:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1702,8 +1681,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181481543Z", - "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284717200Z", + "original": "Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1714,12 +1693,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1763,7 +1741,7 @@ }, "@timestamp": "2013-04-30T09:22:47.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1773,8 +1751,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181482816Z", - "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284718700Z", + "original": "Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1785,12 +1763,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1834,7 +1811,7 @@ }, "@timestamp": "2013-04-30T09:22:48.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1844,8 +1821,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181484108Z", - "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284720200Z", + "original": "Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1856,12 +1833,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "dmz", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1905,7 +1881,7 @@ }, "@timestamp": "2013-04-30T09:22:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1915,8 +1891,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181485392Z", - "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284721700Z", + "original": "Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1927,12 +1903,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1972,7 +1947,7 @@ }, "@timestamp": "2013-04-30T09:23:02.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1982,8 +1957,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:18.181486661Z", - "original": "%ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", + "ingested": "2021-06-09T10:11:21.284723300Z", + "original": "Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", "code": "106006", "kind": "event", "action": "firewall-rule", @@ -1994,12 +1969,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "inside", - "message_id": "106006" + "source_interface": "inside" } } }, @@ -2033,7 +2007,7 @@ }, "@timestamp": "2013-04-30T09:23:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2043,8 +2017,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:18.181487920Z", - "original": "%ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", + "ingested": "2021-06-09T10:11:21.284724700Z", + "original": "Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", "code": "106007", "kind": "event", "action": "firewall-rule", @@ -2055,12 +2029,10 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { - "asa": { - "message_id": "106007" - } + "asa": {} } }, { @@ -2101,7 +2073,7 @@ }, "@timestamp": "2013-04-30T09:23:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2111,8 +2083,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181489197Z", - "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284726200Z", + "original": "Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2123,12 +2095,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -2172,7 +2143,7 @@ }, "@timestamp": "2013-04-30T09:23:08.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2182,8 +2153,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181490477Z", - "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284727800Z", + "original": "Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2194,12 +2165,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -2243,7 +2213,7 @@ }, "@timestamp": "2013-04-30T09:23:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2253,8 +2223,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181491784Z", - "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284729400Z", + "original": "Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2265,12 +2235,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -2314,7 +2283,7 @@ }, "@timestamp": "2013-04-30T09:23:24.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2324,8 +2293,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181493057Z", - "original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284730900Z", + "original": "Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2336,12 +2305,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -2385,7 +2353,7 @@ }, "@timestamp": "2013-04-30T09:23:34.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2395,8 +2363,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181494350Z", - "original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284732400Z", + "original": "Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2407,12 +2375,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -2456,7 +2423,7 @@ }, "@timestamp": "2013-04-30T09:23:40.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2466,8 +2433,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:18.181495731Z", - "original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "ingested": "2021-06-09T10:11:21.284734Z", + "original": "Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2478,12 +2445,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "acl_out", "source_interface": "outside" } @@ -2527,7 +2493,7 @@ }, "@timestamp": "2013-04-30T09:23:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2537,8 +2503,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:18.181497003Z", - "original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "ingested": "2021-06-09T10:11:21.284735500Z", + "original": "Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2549,12 +2515,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "acl_out", "source_interface": "outside" } @@ -2598,7 +2563,7 @@ }, "@timestamp": "2013-04-30T09:23:43.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2608,8 +2573,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181498290Z", - "original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284737Z", + "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2620,12 +2585,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -2669,7 +2633,7 @@ }, "@timestamp": "2013-04-30T09:23:43.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2679,8 +2643,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181499552Z", - "original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284738500Z", + "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2691,12 +2655,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -2740,7 +2703,7 @@ }, "@timestamp": "2018-04-15T13:34:34.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2750,8 +2713,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181500849Z", - "original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:21.284740Z", + "original": "Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2762,12 +2725,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106100", "suffix": "session", "rule_name": "acl_in", "source_interface": "inside" @@ -2816,7 +2778,7 @@ }, "@timestamp": "2018-12-11T08:01:24.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2826,8 +2788,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181502204Z", - "original": "%ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", + "ingested": "2021-06-09T10:11:21.284741500Z", + "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2846,8 +2808,7 @@ "mapped_source_ip": "192.168.77.12", "connection_id": "447235", "source_interface": "outside", - "mapped_destination_port": 80, - "message_id": "302015" + "mapped_destination_port": 80 } } }, @@ -2892,7 +2853,7 @@ }, "@timestamp": "2018-12-11T08:01:24.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2902,8 +2863,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:18.181503522Z", - "original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "ingested": "2021-06-09T10:11:21.284743100Z", + "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2914,12 +2875,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106023", "rule_name": "dmz", "source_interface": "dmz" } @@ -2966,7 +2926,7 @@ }, "@timestamp": "2018-12-11T08:01:24.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2976,8 +2936,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:18.181505451Z", - "original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "ingested": "2021-06-09T10:11:21.284744600Z", + "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2988,12 +2948,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106023", "rule_name": "dmz", "source_interface": "dmz" } @@ -3041,7 +3000,7 @@ }, "@timestamp": "2018-12-11T08:01:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3053,8 +3012,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181506788Z", - "original": "%ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "ingested": "2021-06-09T10:11:21.284746200Z", + "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3073,8 +3032,7 @@ "mapped_source_ip": "192.0.2.222", "connection_id": "447236", "source_interface": "outside", - "mapped_destination_port": 5678, - "message_id": "302013" + "mapped_destination_port": 5678 } } }, @@ -3120,7 +3078,7 @@ }, "@timestamp": "2018-12-11T08:01:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3132,8 +3090,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181508139Z", - "original": "%ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "ingested": "2021-06-09T10:11:21.284747700Z", + "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3152,8 +3110,7 @@ "mapped_source_ip": "192.0.2.222", "connection_id": "447236", "source_interface": "outside", - "mapped_destination_port": 5678, - "message_id": "302013" + "mapped_destination_port": 5678 } } }, @@ -3199,7 +3156,7 @@ }, "@timestamp": "2018-12-11T08:01:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3210,8 +3167,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:18.181509442Z", - "original": "%ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:21.284749200Z", + "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:01:31.000Z", @@ -3228,7 +3186,6 @@ "cisco": { "asa": { "destination_interface": "dmz", - "message_id": "302014", "connection_id": "447236", "source_interface": "outside" } @@ -3276,7 +3233,7 @@ }, "@timestamp": "2018-12-11T08:01:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3287,8 +3244,9 @@ "event": { "severity": 6, "duration": 68000000000, - "ingested": "2021-06-03T06:53:18.181510720Z", - "original": "%ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:21.284750700Z", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:00:30.000Z", @@ -3305,7 +3263,6 @@ "cisco": { "asa": { "destination_interface": "dmz", - "message_id": "302014", "connection_id": "447234", "source_interface": "outside" } @@ -3353,7 +3310,7 @@ }, "@timestamp": "2018-12-11T08:01:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3364,8 +3321,9 @@ "event": { "severity": 6, "duration": 68000000000, - "ingested": "2021-06-03T06:53:18.181511975Z", - "original": "%ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:21.284752200Z", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:00:30.000Z", @@ -3382,7 +3340,6 @@ "cisco": { "asa": { "destination_interface": "dmz", - "message_id": "302014", "connection_id": "447234", "source_interface": "outside" } @@ -3409,7 +3366,8 @@ "preserve_original_event" ], "network": { - "transport": "(no" + "iana_number": "6", + "transport": "tcp" }, "observer": { "product": "asa", @@ -3423,7 +3381,7 @@ }, "@timestamp": "2018-12-11T08:01:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3433,8 +3391,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181513238Z", - "original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "ingested": "2021-06-09T10:11:21.284753800Z", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -3442,14 +3400,14 @@ "network" ], "type": [ - "info" + "info", + "denied" ], - "outcome": "tcp" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "outside", - "message_id": "106015" + "source_interface": "outside" } } }, @@ -3474,7 +3432,8 @@ "preserve_original_event" ], "network": { - "transport": "(no" + "iana_number": "6", + "transport": "tcp" }, "observer": { "product": "asa", @@ -3488,7 +3447,7 @@ }, "@timestamp": "2018-12-11T08:01:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3498,8 +3457,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181514494Z", - "original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "ingested": "2021-06-09T10:11:21.284755300Z", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -3507,14 +3466,14 @@ "network" ], "type": [ - "info" + "info", + "denied" ], - "outcome": "tcp" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "outside", - "message_id": "106015" + "source_interface": "outside" } } }, @@ -3559,7 +3518,7 @@ }, "@timestamp": "2018-12-11T08:01:39.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3569,8 +3528,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:18.181515778Z", - "original": "%ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "ingested": "2021-06-09T10:11:21.284757800Z", + "original": "Dec 11 2018 08:01:39 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -3581,12 +3540,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "outside", - "message_id": "106023", "rule_name": "dmz", "source_interface": "dmz" } @@ -3634,7 +3592,7 @@ }, "@timestamp": "2018-12-11T08:01:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3644,8 +3602,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181517177Z", - "original": "%ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "ingested": "2021-06-09T10:11:21.284759400Z", + "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3664,8 +3622,7 @@ "mapped_source_ip": "192.0.2.222", "connection_id": "447237", "source_interface": "outside", - "mapped_destination_port": 65000, - "message_id": "302013" + "mapped_destination_port": 65000 } } }, @@ -3711,7 +3668,7 @@ }, "@timestamp": "2018-12-11T08:01:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3721,8 +3678,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:18.181518442Z", - "original": "%ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "ingested": "2021-06-09T10:11:21.284761Z", + "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3741,8 +3698,7 @@ "mapped_source_ip": "192.0.2.222", "connection_id": "447237", "source_interface": "outside", - "mapped_destination_port": 65000, - "message_id": "302013" + "mapped_destination_port": 65000 } } }, @@ -3788,7 +3744,7 @@ }, "@timestamp": "2018-12-11T08:01:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3799,8 +3755,9 @@ "event": { "severity": 6, "duration": 86399000000000, - "ingested": "2021-06-03T06:53:18.181519702Z", - "original": "%ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:21.284762500Z", + "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-10T08:01:54.000Z", @@ -3817,7 +3774,6 @@ "cisco": { "asa": { "destination_interface": "dmz", - "message_id": "302014", "connection_id": "447237", "source_interface": "outside" } @@ -3862,7 +3818,7 @@ }, "@timestamp": "2012-08-15T23:30:09.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3873,8 +3829,8 @@ "event": { "severity": 6, "duration": 122000000000, - "ingested": "2021-06-03T06:53:18.181520987Z", - "original": "%ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", + "ingested": "2021-06-09T10:11:21.284764100Z", + "original": "Aug 15 2012 23:30:09 : %ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "code": "302016", "kind": "event", "start": "2012-08-15T23:28:07.000Z", @@ -3891,7 +3847,6 @@ "cisco": { "asa": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "40", "source_interface": "outside" } @@ -3925,7 +3880,7 @@ }, "@timestamp": "2014-09-12T06:50:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3941,8 +3896,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:18.181522238Z", - "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:21.284765600Z", + "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -3953,12 +3908,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -3990,7 +3944,7 @@ }, "@timestamp": "2014-09-12T06:51:01.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4006,8 +3960,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:18.181523502Z", - "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:21.284777Z", + "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4018,12 +3972,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4055,7 +4008,7 @@ }, "@timestamp": "2014-09-12T06:51:05.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4071,8 +4024,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:18.181524824Z", - "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:21.284781Z", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4083,12 +4036,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4120,7 +4072,7 @@ }, "@timestamp": "2014-09-12T06:51:05.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4136,8 +4088,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:18.181526122Z", - "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:21.284783200Z", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4148,12 +4100,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4185,7 +4136,7 @@ }, "@timestamp": "2014-09-12T06:51:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4201,8 +4152,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:18.181533166Z", - "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:21.284784900Z", + "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4213,12 +4164,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4250,7 +4200,7 @@ }, "@timestamp": "2014-09-12T06:51:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4266,8 +4216,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:18.181534491Z", - "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:21.284786500Z", + "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4278,12 +4228,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4315,7 +4264,7 @@ }, "@timestamp": "2014-09-12T06:52:48.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4331,8 +4280,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:18.181535874Z", - "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:21.284788Z", + "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4343,12 +4292,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4380,7 +4328,7 @@ }, "@timestamp": "2014-09-12T06:53:00.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4396,8 +4344,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:18.181537153Z", - "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:21.284789500Z", + "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4408,12 +4356,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4456,7 +4403,7 @@ }, "@timestamp": "2014-09-12T06:53:01.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4472,8 +4419,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:18.181538427Z", - "original": "%ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "ingested": "2021-06-09T10:11:21.284791100Z", + "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -4484,12 +4431,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "PERMIT_IN", "source_interface": "outside" } @@ -4523,7 +4469,7 @@ }, "@timestamp": "2014-09-12T06:53:02.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4538,8 +4484,8 @@ }, "event": { "severity": 3, - "ingested": "2021-06-03T06:53:18.181539731Z", - "original": "%ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", + "ingested": "2021-06-09T10:11:21.284792700Z", + "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "code": "313001", "kind": "event", "action": "firewall-rule", @@ -4550,14 +4496,13 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "icmp_type": 3, - "message_id": "313001", - "icmp_code": 3, - "source_interface": "Outside" + "source_interface": "Outside", + "icmp_code": 3 } } }, @@ -4592,7 +4537,7 @@ }, "@timestamp": "2015-01-14T13:16:13.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4602,8 +4547,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:18.181541003Z", - "original": "%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", + "ingested": "2021-06-09T10:11:21.284794200Z", + "original": "Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "code": "313004", "kind": "event", "action": "firewall-rule", @@ -4614,13 +4559,12 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { "icmp_type": 0, - "source_interface": "inside", - "message_id": "313004" + "source_interface": "inside" } } }, @@ -4670,7 +4614,7 @@ }, "@timestamp": "2015-01-14T13:16:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4678,13 +4622,14 @@ ], "ip": [ "10.1.1.45", + "192.88.99.1", "192.88.99.129" ] }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:18.181542284Z", - "original": "%ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", + "ingested": "2021-06-09T10:11:21.284795800Z", + "original": "Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", "code": "338002", "kind": "event", "action": "firewall-rule", @@ -4695,7 +4640,7 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "asa": { @@ -4705,8 +4650,7 @@ "mapped_source_ip": "192.88.99.1", "rule_name": "dynamic", "source_interface": "inside", - "mapped_destination_port": 80, - "message_id": "338002" + "mapped_destination_port": 80 } } }, @@ -4751,18 +4695,19 @@ }, "@timestamp": "2015-01-14T13:16:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ "10.1.1.1", + "10.2.1.1", "192.0.2.223" ] }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:18.181543556Z", - "original": "%ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "ingested": "2021-06-09T10:11:21.284797400Z", + "original": "Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338004", "kind": "event", "action": "firewall-rule", @@ -4784,7 +4729,6 @@ "rule_name": "dynamic", "source_interface": "inside", "mapped_destination_port": 80, - "message_id": "338004", "threat_category": "Malware" } } @@ -4830,18 +4774,19 @@ }, "@timestamp": "2015-01-14T13:16:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ "10.1.1.1", + "10.2.1.1", "192.0.2.223" ] }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:18.181544864Z", - "original": "%ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "ingested": "2021-06-09T10:11:21.284798800Z", + "original": "Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338008", "kind": "event", "action": "firewall-rule", @@ -4852,7 +4797,7 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { @@ -4864,7 +4809,6 @@ "rule_name": "dynamic", "source_interface": "inside", "mapped_destination_port": 80, - "message_id": "338008", "threat_category": "Malware" } } @@ -4882,6 +4826,7 @@ "ip": "10.30.30.30" }, "url": { + "path": "/app", "original": "/app" }, "tags": [ @@ -4894,7 +4839,7 @@ }, "@timestamp": "2009-11-16T14:12:35.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4904,8 +4849,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181546153Z", - "original": "%ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", + "ingested": "2021-06-09T10:11:21.284800500Z", + "original": "Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -4916,12 +4861,10 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { - "asa": { - "message_id": "304001" - } + "asa": {} } }, { @@ -4937,7 +4880,10 @@ "ip": "10.5.111.32" }, "url": { - "original": "http://example.com" + "path": "", + "original": "http://example.com", + "scheme": "http", + "domain": "example.com" }, "tags": [ "preserve_original_event" @@ -4949,7 +4895,7 @@ }, "@timestamp": "2009-11-16T14:12:36.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4959,8 +4905,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181547419Z", - "original": "%ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", + "ingested": "2021-06-09T10:11:21.284802Z", + "original": "Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -4971,12 +4917,10 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { - "asa": { - "message_id": "304001" - } + "asa": {} } }, { @@ -4992,7 +4936,11 @@ "ip": "10.69.6.39" }, "url": { - "original": "http://www.example.net/images/favicon.ico" + "path": "/images/favicon.ico", + "extension": "ico", + "original": "http://www.example.net/images/favicon.ico", + "scheme": "http", + "domain": "www.example.net" }, "tags": [ "preserve_original_event" @@ -5009,7 +4957,7 @@ }, "@timestamp": "2009-11-16T14:12:37.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5019,8 +4967,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:18.181548709Z", - "original": "%ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", + "ingested": "2021-06-09T10:11:21.284803500Z", + "original": "Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", "code": "304002", "kind": "event", "action": "firewall-rule", @@ -5031,14 +4979,111 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "asa": { - "source_interface": "inside", - "message_id": "304002" + "source_interface": "inside" } } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "RU-MOW", + "city_name": "Moscow", + "country_iso_code": "RU", + "country_name": "Russia", + "region_name": "Moscow", + "location": { + "lon": 37.6172, + "lat": 55.7527 + } + }, + "address": "1.2.3.4", + "port": 80, + "user": { + "name": "username" + }, + "ip": "1.2.3.4" + }, + "source": { + "nat": { + "ip": "1.2.3.4" + }, + "address": "10.2.3.4", + "port": 49926, + "ip": "10.2.3.4" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "iana_number": "6", + "transport": "tcp", + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "vlan-42" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "internet" + } + } + }, + "@timestamp": "2021-01-13T19:12:37.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "username" + ], + "ip": [ + "10.2.3.4", + "1.2.3.4" + ] + }, + "event": { + "severity": 6, + "ingested": "2021-06-09T10:11:21.284805100Z", + "original": "Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username)", + "code": "302013", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "vlan-42", + "mapped_source_port": 49926, + "mapped_destination_ip": "1.2.3.4", + "mapped_source_ip": "1.2.3.4", + "connection_id": "27215708", + "source_interface": "internet", + "mapped_destination_port": 80, + "source_username": "LOCAL\\username" + } + }, + "user": { + "name": "username" + } } ] } \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/agent/stream/stream.yml.hbs b/packages/cisco/data_stream/asa/agent/stream/stream.yml.hbs index 39855b826e7..118adc06c53 100644 --- a/packages/cisco/data_stream/asa/agent/stream/stream.yml.hbs +++ b/packages/cisco/data_stream/asa/agent/stream/stream.yml.hbs @@ -4,11 +4,17 @@ paths: {{/each}} exclude_files: [".gz$"] tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} {{#if preserve_original_event}} - - preserve_original_event + - preserve_original_event {{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains tags "forwarded"}} +publisher_pipeline.disable_host: true +{{/contains}} processors: - - add_locale: ~ +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/agent/stream/udp.yml.hbs b/packages/cisco/data_stream/asa/agent/stream/udp.yml.hbs index 6d2daf97d54..121cfdc4a02 100644 --- a/packages/cisco/data_stream/asa/agent/stream/udp.yml.hbs +++ b/packages/cisco/data_stream/asa/agent/stream/udp.yml.hbs @@ -1,11 +1,17 @@ udp: host: "{{udp_host}}:{{udp_port}}" tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} {{#if preserve_original_event}} - - preserve_original_event + - preserve_original_event {{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains tags "forwarded"}} +publisher_pipeline.disable_host: true +{{/contains}} processors: - - add_locale: ~ \ No newline at end of file +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/data_stream/asa/elasticsearch/ingest_pipeline/default.yml index dd1f3b5cc5c..87996bb3169 100644 --- a/packages/cisco/data_stream/asa/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco/data_stream/asa/elasticsearch/ingest_pipeline/default.yml @@ -4,22 +4,25 @@ processors: - set: field: event.ingested value: '{{_ingest.timestamp}}' - + - rename: + field: message + target_field: event.original + ignore_missing: true - set: field: ecs.version - value: '1.9.0' + value: '1.10.0' # # Parse the syslog header # # This populates the host.hostname, process.name, timestamp and other fields - # from the header and stores the message contents in log.original. + # from the header and stores the message contents in _temp_.full_message. - grok: - field: message + field: event.original patterns: - - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:event.original}" + - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" pattern_definitions: SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" - SYSLOGFACILITY: "<%{NONNEGINT:log.syslog.facility.code:int}(?:.%{NONNEGINT:log.syslog.priority:int})?>" + SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility.code:int}(?:.%{NONNEGINT:syslog.priority:int})?>" # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" @@ -34,7 +37,7 @@ processors: # # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. - grok: - field: event.original + field: _temp_.full_message patterns: - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. @@ -181,97 +184,120 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '106001'" field: "message" + description: "106001" pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106002'" field: "message" + description: "106002" pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - dissect: if: "ctx._temp_.cisco.message_id == '106006'" field: "message" + description: "106006" pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106007'" field: "message" + description: "106007" pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - grok: if: "ctx._temp_.cisco.message_id == '106010'" field: "message" + description: "106010" patterns: - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" - dissect: if: "ctx._temp_.cisco.message_id == '106013'" field: "message" + description: "106013" pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" - set: if: "ctx._temp_.cisco.message_id == '106013'" field: "network.transport" + description: "106013" value: icmp - set: if: "ctx._temp_.cisco.message_id == '106013'" field: "network.direction" + description: "106013" value: inbound - grok: if: "ctx._temp_.cisco.message_id == '106014'" field: "message" + description: "106014" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}(%{GREEDYDATA})?" + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" - grok: if: "ctx._temp_.cisco.message_id == '106015'" field: "message" + description: "106015" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106016'" field: "message" pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106016" - dissect: if: "ctx._temp_.cisco.message_id == '106017'" field: "message" pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" + description: "106017" - dissect: if: "ctx._temp_.cisco.message_id == '106018'" field: "message" pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + description: "106018" - dissect: if: "ctx._temp_.cisco.message_id == '106020'" field: "message" pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" + description: "106020" - dissect: if: "ctx._temp_.cisco.message_id == '106021'" field: "message" pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106021" - dissect: if: "ctx._temp_.cisco.message_id == '106022'" field: "message" pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106022" - grok: if: "ctx._temp_.cisco.message_id == '106023'" field: "message" + description: "106023" patterns: - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}" - dissect: if: "ctx._temp_.cisco.message_id == '106027'" field: "message" + description: "106027" pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' - dissect: if: "ctx._temp_.cisco.message_id == '106100'" field: "message" + description: "106100" pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" field: "message" + description: "106103" pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '111004'" field: "message" + description: "111004" pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" - set: field: event.outcome + description: "111004" value: "success" if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" - set: field: event.outcome + description: "111004" value: "failure" if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" - remove: @@ -279,296 +305,457 @@ processors: ignore_missing: true - append: field: event.type + description: "111004" value: "change" if: "ctx._temp_.cisco.message_id == '111004'" - grok: if: "ctx._temp_.cisco.message_id == '111009'" + description: "111009" field: "message" patterns: - "^%{NOTSPACE} '%{NOTSPACE:host.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" - grok: if: "ctx._temp_.cisco.message_id == '111010'" field: "message" + description: "111010" patterns: - "User '%{NOTSPACE:host.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" - dissect: if: "ctx._temp_.cisco.message_id == '113019'" field: "message" + description: "113019" pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}" - - dissect: + - grok: if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' field: "message" - pattern: "Built %{network.direction} %{network.transport} connection %{_temp_.cisco.connection_id} for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + description: "302013, 302015" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}" - dissect: if: "ctx._temp_.cisco.message_id == '303002'" field: "message" + description: "303002" pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" - dissect: if: "ctx._temp_.cisco.message_id == '302012'" field: "message" + description: "302012" pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" - grok: if: "ctx._temp_.cisco.message_id == '302020'" field: "message" + description: "302020" patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr %{IP:destination.address}/%{NUMBER} (%{DATA})?gaddr %{IP:_temp_.natsrcip}/%{NUMBER} laddr %{IP:source.address}/%{NUMBER}(%{GREEDYDATA})?" + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" + pattern_definitions: + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" - dissect: if: "ctx._temp_.cisco.message_id == '302022'" field: "message" - pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + description: "302022" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302023'" + field: "message" + description: "302023" + pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" - grok: if: "ctx._temp_.cisco.message_id == '304001'" field: "message" + description: "304001" patterns: - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" - value: allow + description: "304001" + value: success - dissect: if: "ctx._temp_.cisco.message_id == '304002'" field: "message" + description: "304002" pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '305011'" field: "message" - pattern: "Built %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + description: "305011" + patterns: + - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} - dissect: if: "ctx._temp_.cisco.message_id == '313001'" field: "message" + description: "313001" pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '313004'" field: "message" + description: "313004" pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" - dissect: if: "ctx._temp_.cisco.message_id == '313005'" field: "message" + description: "313005" pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" - dissect: if: "ctx._temp_.cisco.message_id == '313008'" field: "message" + description: "313008" pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '313009'" field: "message" + description: "313009" pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '322001'" field: "message" + description: "322001" pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '338001'" field: "message" + description: "338001" pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338001'" field: "server.domain" + description: "338001" value: "{{source.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338002'" field: "message" + description: "338002" pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - set: if: "ctx._temp_.cisco.message_id == '338002'" field: "server.domain" + description: "338002" value: "{{destination.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338003'" field: "message" + description: "338003" pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338004'" field: "message" + description: "338004" pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338005'" field: "message" + description: "338005" pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338005'" field: "server.domain" + description: "338005" value: "{{source.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338006'" field: "message" + description: "338006" pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338006'" field: "server.domain" + description: "338006" value: "{{destination.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338007'" field: "message" + description: "338007" pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338008'" field: "message" + description: "338008" pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338101'" field: "message" + description: "338101" pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" - set: if: "ctx._temp_.cisco.message_id == '338101'" field: "server.domain" + description: "338101" value: "{{source.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338102'" field: "message" + description: "338102" pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - set: if: "ctx._temp_.cisco.message_id == '338102'" field: "server.domain" + description: "338102" value: "{{destination.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338103'" field: "message" + description: "338103" pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" - dissect: if: "ctx._temp_.cisco.message_id == '338104'" field: "message" + description: "338104" pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" - dissect: if: "ctx._temp_.cisco.message_id == '338201'" field: "message" + description: "338201" pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338201'" field: "server.domain" + description: "338201" value: "{{source.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338202'" field: "message" + description: "338202" pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338202'" field: "server.domain" + description: "338202" value: "{{destination.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338203'" field: "message" + description: "338203" pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338203'" field: "server.domain" + description: "338203" value: "{{source.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338204'" field: "message" + description: "338204" pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338204'" field: "server.domain" + description: "338204" value: "{{destination.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338301'" field: "message" + description: "338301" pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" - set: if: "ctx._temp_.cisco.message_id == '338301'" field: "client.address" + description: "338301" value: "{{destination.address}}" ignore_empty_value: true - set: if: "ctx._temp_.cisco.message_id == '338301'" field: "client.port" + description: "338301" value: "{{destination.port}}" ignore_empty_value: true - set: if: "ctx._temp_.cisco.message_id == '338301'" field: "server.address" + description: "338301" value: "{{source.address}}" ignore_empty_value: true - set: if: "ctx._temp_.cisco.message_id == '338301'" field: "server.port" + description: "338301" value: "{{source.port}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '502103'" field: "message" + description: "502103" pattern: "User priv level changed: Uname: %{host.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" - append: if: "ctx._temp_.cisco.message_id == '502103'" field: "event.type" + description: "502103" value: - "group" - "change" - append: if: "ctx._temp_.cisco.message_id == '502103'" field: "event.category" + description: "502103" value: "iam" - dissect: if: "ctx._temp_.cisco.message_id == '507003'" field: "message" + description: "507003" pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" - dissect: if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' field: "message" + description: "605004, 605005" pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' - dissect: if: "ctx._temp_.cisco.message_id == '609001'" field: "message" + description: "609001" pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" - dissect: if: "ctx._temp_.cisco.message_id == '609002'" field: "message" + description: "609002" pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" - dissect: if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' field: "message" + description: "611102, 611101" pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{host.user.name}' - dissect: if: "ctx._temp_.cisco.message_id == '710003'" field: "message" - pattern: "%{network.transport} access denied by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + description: "710003" + pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '710005'" field: "message" - pattern: "%{network.transport} request discarded from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + description: "710005" + pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '713049'" field: "message" + description: "713049" pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '716002'" field: "message" - pattern: "Group %{} User %{source.user.name} IP %{source.address} WebVPN session terminated: User Requested." - - dissect: + description: "716002" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}." + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}." + - grok: if: "ctx._temp_.cisco.message_id == '722051'" field: "message" - pattern: "Group %{} User %{source.user.name} IP %{source.address} IPv4 Address %{_temp_.cisco.assigned_ip} %{}" + description: "722051" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" - dissect: if: "ctx._temp_.cisco.message_id == '733100'" field: "message" + description: "733100" pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" - dissect: if: "ctx._temp_.cisco.message_id == '734001'" field: "message" + description: "734001" pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" - dissect: if: "ctx._temp_.cisco.message_id == '805001'" field: "message" + description: "805001" pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - dissect: if: "ctx._temp_.cisco.message_id == '805002'" field: "message" + description: "805002" pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - split: field: "_temp_.cisco.dap_records" separator: ",\\s+" ignore_missing: true + - dissect: + if: "ctx._temp_.cisco.message_id == '434002'" + field: "message" + pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '434004'" + field: "message" + pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" + - dissect: + if: "ctx._temp_.cisco.message_id == '110002'" + field: "message" + pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '419002'" + field: "message" + pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" + - dissect: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + - dissect: + if: "ctx._temp_.cisco.message_id == '750002'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713120'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" + - dissect: + if: "ctx._temp_.cisco.message_id == '713202'" + field: "message" + pattern: "IP = %{source.address}, %{event.reason}. %{} packet." + - dissect: + if: "ctx._temp_.cisco.message_id == '750003'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" + - grok: + if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "message" + patterns: + - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" + # Handle ecs action outcome protocol + - set: + if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "unknown" + - set: + if: '["419002"].contains(ctx._temp_.cisco.message_id)' + field: "network.protocol" + value: "tcp" + - set: + if: '["110002"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["713120"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["713905", "713904", "713906", "713902", "713901", "710005"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "connection-started" + - set: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "error" + - append: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.type" + value: "error" # # Handle 302xxx messages (Flow expiration a.k.a "Teardown") @@ -577,12 +764,19 @@ processors: if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' field: "event.action" value: "flow-expiration" + description: "302012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" - grok: field: "message" if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" patterns: - - Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA} - - Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" @@ -599,6 +793,7 @@ processors: - kv: if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' field: "message" + description: "430001, 430002, 430003, 430004, 430005" field_split: ",(?=[A-za-z1-9\\s]+:)" value_split: ":" target_field: "_temp_.orig_security" @@ -607,14 +802,15 @@ processors: ignore_failure: true # - # Remove message. + # Remove _temp_.full_message. # # The field has been used as temporary buffer while decoding. The full message - # is kept log.original. Processors below can still add a message field, as some + # is kept under event.original. Processors below can still add a message field, as some # security events contain an explanatory Message field. - remove: field: - message + - _temp_.full_message ignore_missing: true # @@ -1015,7 +1211,6 @@ processors: "430003": connection-finished "430004": file-detected "430005": malware-detected - "dns.question.type": map: "a host address": A @@ -1027,14 +1222,12 @@ processors: "marks the start of a zone of authority": SOA "mail exchange": MX "server selection": SRV - "dns.response_code": map: "non-existent domain": NXDOMAIN "server failure": SERVFAIL "query refused": REFUSED "no error": NOERROR - source: | def getField(Map src, String[] path) { for (int i=0; i + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: internal + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: external + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.egress?.zone != null && + ctx?.observer?.ingress?.zone != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + ) + ) + + - set: + field: _temp_.url_domain + value: "{{url.domain}}" ignore_failure: true + if: ctx?.url?.domain != null - - convert: - field: "destination.nat.port" - type: integer + - uri_parts: + field: url.original ignore_failure: true + if: ctx?.url?.original != null + - append: + field: url.domain + value: "{{_temp_.url_domain}}" + ignore_failure: true + allow_duplicates: false + if: ctx?._temp_?.url_domain != null # # Populate ECS event.code # - - convert: + - rename: field: _temp_.cisco.message_id target_field: event.code - type: string ignore_failure: true - - remove: field: - _temp_.cisco.message_id - event.code if: 'ctx._temp_.cisco.message_id == ""' ignore_failure: true - # # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. # @@ -1436,14 +1711,12 @@ processors: field: _temp_.cisco target_field: "cisco.asa" ignore_failure: true - # # Remove temporary fields # - remove: field: _temp_ ignore_missing: true - # # Rename some 7.x fields # @@ -1451,7 +1724,6 @@ processors: field: cisco.asa.list_id target_field: cisco.asa.rule_name ignore_missing: true - # ECS categorization - script: lang: painless @@ -1501,6 +1773,36 @@ processors: - malware type: - info + bypass: + kind: event + category: + - network + type: + - info + - change + error: + kind: event + outcome: failure + category: + - network + type: + - error + deleted: + kind: event + category: + - network + type: + - info + - deletion + - user + creation: + kind: event + category: + - network + type: + - info + - creation + - user source: >- if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { return; @@ -1508,22 +1810,28 @@ processors: ctx.event.kind = params.get(ctx.event.action).get('kind'); ctx.event.category = params.get(ctx.event.action).get('category').clone(); ctx.event.type = params.get(ctx.event.action).get('type').clone(); - if (ctx?.event?.outcome == null) { return; } if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) { - if (ctx.event.outcome == 'allow') { + if (ctx.event.outcome == 'success') { ctx.event.type.add('allowed'); } - if (ctx.event.outcome == 'deny') { + if (ctx.event.outcome == 'failure') { ctx.event.type.add('denied'); } if (ctx.event.outcome == 'block') { - ctx.event.type.add('denied'); + ctx.event.type.add('failure'); } } + - set: + description: copy destination.user.name to user.name if it is not set + field: user.name + value: "{{destination.user.name}}" + ignore_empty_value: true + if: ctx?.user?.name == null + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. - set: field: observer.hostname @@ -1554,11 +1862,21 @@ processors: value: "{{source.ip}}" if: "ctx?.source?.ip != null" allow_duplicates: false + - append: + field: related.ip + value: "{{source.nat.ip}}" + if: "ctx?.source?.nat?.ip != null" + allow_duplicates: false - append: field: related.ip value: "{{destination.ip}}" if: "ctx?.destination?.ip != null" allow_duplicates: false + - append: + field: related.ip + value: "{{destination.nat.ip}}" + if: "ctx?.destination?.nat?.ip != null" + allow_duplicates: false - append: field: related.user value: "{{user.name}}" @@ -1574,6 +1892,11 @@ processors: value: "{{source.user.name}}" if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' allow_duplicates: false + - append: + field: related.user + value: "{{destination.user.name}}" + if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' + allow_duplicates: false - append: field: related.hash value: "{{file.hash.sha256}}" @@ -1599,6 +1922,30 @@ processors: value: "{{source.domain}}" if: ctx.source?.domain != null && ctx.source?.domain != '' allow_duplicates: false + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); - remove: field: event.original if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" diff --git a/packages/cisco/data_stream/asa/fields/ecs.yml b/packages/cisco/data_stream/asa/fields/ecs.yml index 219b2565803..7681a8a7ee8 100644 --- a/packages/cisco/data_stream/asa/fields/ecs.yml +++ b/packages/cisco/data_stream/asa/fields/ecs.yml @@ -120,6 +120,28 @@ - name: network.transport type: keyword description: Protocol Name corresponding to the field `iana_number`. +- name: network.inner + level: extended + type: object + description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + default_field: false +- name: network.inner.vlan.id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false +- name: network.inner.vlan.name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false +- name: network.type + type: keyword + description: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - name: process.name type: keyword description: Process name. @@ -168,9 +190,6 @@ - name: source.port type: long description: Port of the source. -- name: url.original - type: keyword - description: Unmodified original url as seen in the event source. - name: user.email type: keyword description: User email address. @@ -314,9 +333,78 @@ - name: tags type: keyword description: List of keywords used to tag each event. -- name: log.syslog.facility.code +- name: syslog.facility.code type: long description: Syslog numeric facility of the event. -- name: log.syslog.priority +- name: syslog.priority type: long description: Syslog priority of the event. +- name: url + title: URL + group: 2 + type: group + fields: + - name: domain + type: keyword + description: 'Domain of the url, such as "www.elastic.co".' + - name: extension + type: keyword + ignore_above: 1024 + description: "The field contains the file extension from the original request url, excluding the leading dot." + - name: fragment + type: keyword + ignore_above: 1024 + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + - name: full + type: keyword + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + - name: original + type: keyword + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: "Unmodified original url as seen in the event source." + - name: password + type: keyword + ignore_above: 1024 + description: Password of the request. + - name: path + type: keyword + description: Path of the request, such as "/search". + - name: port + type: long + format: string + description: Port of the request, such as 443. + - name: query + type: keyword + ignore_above: 1024 + description: 'The query field describes the query string of the request, such as "q=elasticsearch".' + - name: registered_domain + type: keyword + description: "The highest registered url domain, stripped of the subdomain." + - name: scheme + type: keyword + ignore_above: 1024 + description: 'Scheme of the request, such as "https".' + - name: subdomain + type: keyword + ignore_above: 1024 + description: "The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain." + default_field: false + - name: top_level_domain + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".' + - name: username + type: keyword + ignore_above: 1024 + description: Username of the request. diff --git a/packages/cisco/data_stream/asa/fields/fields.yml b/packages/cisco/data_stream/asa/fields/fields.yml index 5c162af7433..13b0cce7681 100644 --- a/packages/cisco/data_stream/asa/fields/fields.yml +++ b/packages/cisco/data_stream/asa/fields/fields.yml @@ -3,76 +3,94 @@ fields: - name: message_id type: keyword - description: | + description: > The Cisco ASA message identifier. + - name: suffix type: keyword - description: | + description: > Optional suffix after %ASA identifier. + - name: source_interface type: keyword - description: | + description: > Source interface for the flow or event. + - name: destination_interface type: keyword - description: | + description: > Destination interface for the flow or event. + - name: rule_name type: keyword - description: | + description: > Name of the Access Control List rule that matched this event. + - name: source_username type: keyword - description: | + description: > Name of the user that is the source for this event. + - name: destination_username type: keyword - description: | + description: > Name of the user that is the destination for this event. + - name: mapped_source_ip type: ip - description: | + description: > The translated source IP address. + - name: mapped_source_port type: long - description: | + description: > The translated source port. + - name: mapped_destination_ip type: ip - description: | + description: > The translated destination IP address. + - name: mapped_destination_port type: long - description: | + description: > The translated destination port. + - name: threat_level type: keyword - description: | + description: > Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. + - name: threat_category type: keyword - description: | + description: > Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. + - name: connection_id type: keyword - description: | + description: > Unique identifier for a flow. + - name: icmp_type type: short - description: | + description: > ICMP type. + - name: icmp_code type: short - description: | + description: > ICMP code. + - name: connection_type type: keyword - description: | + description: > The VPN connection type + - name: dap_records type: keyword - description: | + description: > The assigned DAP records + - name: mapped_destination_host type: keyword - name: username @@ -145,3 +163,17 @@ description: > The total count of burst rate hits since the object was created or cleared + - name: security + type: flattened + description: Cisco FTD security event fields. + - name: webvpn.group_name + type: keyword + default_field: false + description: > + The WebVPN group name the user belongs to + + - name: termination_user + default_field: false + type: keyword + description: >- + AAA name of user requesting termination diff --git a/packages/cisco/data_stream/asa/manifest.yml b/packages/cisco/data_stream/asa/manifest.yml index 1ed708da397..1d94c437574 100644 --- a/packages/cisco/data_stream/asa/manifest.yml +++ b/packages/cisco/data_stream/asa/manifest.yml @@ -15,6 +15,7 @@ streams: show_user: false default: - cisco-asa + - forwarded - name: udp_host type: text title: UDP host to listen on @@ -29,6 +30,13 @@ streams: required: true show_user: true default: 9001 + - name: log_level + type: integer + title: Log Level + multi: false + required: true + show_user: false + default: 7 - name: preserve_original_event required: true show_user: true @@ -37,13 +45,15 @@ streams: type: bool multi: false default: false - - name: log_level - type: integer - title: Log Level + - name: processors + type: yaml + title: Processors multi: false - required: true + required: false show_user: false - default: 7 + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: logfile enabled: false title: Cisco ASA logs @@ -57,14 +67,6 @@ streams: show_user: true default: - /var/log/cisco-asa.log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - name: tags type: text title: Tags @@ -73,6 +75,7 @@ streams: show_user: false default: - cisco-asa + - forwarded - name: log_level type: integer title: Log Level @@ -80,3 +83,19 @@ streams: required: true show_user: false default: 7 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json index 5fcb6e968e3..0fc96151af4 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -40,7 +40,7 @@ }, "@timestamp": "2020-04-17T14:08:08.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -57,8 +57,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.179404393Z", - "original": "%ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", + "ingested": "2021-06-09T10:11:23.472044100Z", + "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "code": "302016", "kind": "event", "start": "2020-04-17T14:08:08.000Z", @@ -76,7 +76,7 @@ "ftd": { "source_username": "(LOCAL\\Elastic)", "destination_interface": "Inside", - "message_id": "302016", + "termination_user": "zzzzzz", "connection_id": "110577675", "source_interface": "Outside" } @@ -119,7 +119,7 @@ }, "@timestamp": "2020-04-17T14:00:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -134,8 +134,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.179410879Z", - "original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.472055500Z", + "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -146,12 +146,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "Outside", - "message_id": "106023", "rule_name": "Inside_access_in", "source_interface": "Inside" } @@ -195,7 +194,7 @@ }, "@timestamp": "2013-04-15T09:36:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -204,8 +203,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.179412400Z", - "original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", + "ingested": "2021-06-09T10:11:23.472056900Z", + "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -216,12 +215,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106023", "rule_name": "acl_dmz", "source_interface": "dmz" } @@ -266,7 +264,7 @@ }, "@timestamp": "2020-04-17T14:16:20.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -281,8 +279,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.179413873Z", - "original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.472058Z", + "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -293,13 +291,12 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "source_username": "(LOCAL\\Elastic)", "destination_interface": "Outside", - "message_id": "106023", "rule_name": "Inside_access_in", "source_interface": "Inside" } @@ -328,7 +325,7 @@ }, "@timestamp": "2020-04-17T14:15:07.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -343,8 +340,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:21.179415191Z", - "original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", + "ingested": "2021-06-09T10:11:23.472059100Z", + "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "code": "106017", "kind": "event", "action": "firewall-rule", @@ -355,12 +352,10 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { - "ftd": { - "message_id": "106017" - } + "ftd": {} } } ] diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json index 9fb08e26bdb..f882d573b0b 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json @@ -43,7 +43,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -59,8 +59,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401145166Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", + "ingested": "2021-06-09T10:11:23.658548300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -74,8 +74,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -123,7 +122,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -139,8 +138,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401152015Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "ingested": "2021-06-09T10:11:23.658553600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -159,8 +158,7 @@ "mapped_source_ip": "100.66.205.104", "connection_id": "11757", "source_interface": "outside", - "mapped_destination_port": 1772, - "message_id": "302013" + "mapped_destination_port": 1772 } } }, @@ -208,7 +206,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -225,8 +223,9 @@ "event": { "severity": 6, "duration": 67000000000, - "ingested": "2021-06-03T06:53:21.401153471Z", - "original": "%ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658556Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -243,7 +242,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11749", "source_interface": "outside" } @@ -293,7 +291,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -310,8 +308,9 @@ "event": { "severity": 6, "duration": 67000000000, - "ingested": "2021-06-03T06:53:21.401154795Z", - "original": "%ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658557100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -328,7 +327,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11748", "source_interface": "outside" } @@ -378,7 +376,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -395,8 +393,9 @@ "event": { "severity": 6, "duration": 67000000000, - "ingested": "2021-06-03T06:53:21.401156092Z", - "original": "%ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658558200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -413,7 +412,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11745", "source_interface": "outside" } @@ -463,7 +461,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -480,8 +478,9 @@ "event": { "severity": 6, "duration": 67000000000, - "ingested": "2021-06-03T06:53:21.401157373Z", - "original": "%ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658559200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -498,7 +497,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11744", "source_interface": "outside" } @@ -548,7 +546,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -565,8 +563,9 @@ "event": { "severity": 6, "duration": 68000000000, - "ingested": "2021-06-03T06:53:21.401158641Z", - "original": "%ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658560200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -583,7 +582,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11742", "source_interface": "outside" } @@ -633,7 +631,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -650,8 +648,9 @@ "event": { "severity": 6, "duration": 68000000000, - "ingested": "2021-06-03T06:53:21.401159912Z", - "original": "%ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658561200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -668,7 +667,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11738", "source_interface": "outside" } @@ -718,7 +716,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -735,8 +733,9 @@ "event": { "severity": 6, "duration": 68000000000, - "ingested": "2021-06-03T06:53:21.401161175Z", - "original": "%ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658562200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -753,7 +752,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11739", "source_interface": "outside" } @@ -803,7 +801,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -820,8 +818,9 @@ "event": { "severity": 6, "duration": 69000000000, - "ingested": "2021-06-03T06:53:21.401162460Z", - "original": "%ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658563300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -838,7 +837,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11731", "source_interface": "outside" } @@ -888,7 +886,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -905,8 +903,9 @@ "event": { "severity": 6, "duration": 69000000000, - "ingested": "2021-06-03T06:53:21.401163796Z", - "original": "%ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658564300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -923,7 +922,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11723", "source_interface": "outside" } @@ -973,7 +971,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -990,8 +988,9 @@ "event": { "severity": 6, "duration": 69000000000, - "ingested": "2021-06-03T06:53:21.401165310Z", - "original": "%ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658565500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1008,7 +1007,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11715", "source_interface": "outside" } @@ -1058,7 +1056,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1075,8 +1073,9 @@ "event": { "severity": 6, "duration": 69000000000, - "ingested": "2021-06-03T06:53:21.401166630Z", - "original": "%ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658566600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1093,7 +1092,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11711", "source_interface": "outside" } @@ -1143,7 +1141,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1160,8 +1158,9 @@ "event": { "severity": 6, "duration": 69000000000, - "ingested": "2021-06-03T06:53:21.401167890Z", - "original": "%ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658567600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1178,7 +1177,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11712", "source_interface": "outside" } @@ -1228,7 +1226,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1245,8 +1243,9 @@ "event": { "severity": 6, "duration": 70000000000, - "ingested": "2021-06-03T06:53:21.401169149Z", - "original": "%ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658568600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:46.000Z", @@ -1263,7 +1262,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11708", "source_interface": "outside" } @@ -1313,7 +1311,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1330,8 +1328,9 @@ "event": { "severity": 6, "duration": 67000000000, - "ingested": "2021-06-03T06:53:21.401170475Z", - "original": "%ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658569600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -1348,7 +1347,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11746", "source_interface": "outside" } @@ -1398,7 +1396,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1415,8 +1413,9 @@ "event": { "severity": 6, "duration": 70000000000, - "ingested": "2021-06-03T06:53:21.401171839Z", - "original": "%ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658570900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:46.000Z", @@ -1433,7 +1432,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11706", "source_interface": "outside" } @@ -1483,7 +1481,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1500,8 +1498,9 @@ "event": { "severity": 6, "duration": 71000000000, - "ingested": "2021-06-03T06:53:21.401173139Z", - "original": "%ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658571900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:45.000Z", @@ -1518,7 +1517,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11702", "source_interface": "outside" } @@ -1568,7 +1566,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1585,8 +1583,9 @@ "event": { "severity": 6, "duration": 30000000000, - "ingested": "2021-06-03T06:53:21.401174400Z", - "original": "%ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", + "reason": "SYN Timeout", + "ingested": "2021-06-09T10:11:23.658573Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:26.000Z", @@ -1603,7 +1602,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11753", "source_interface": "outside" } @@ -1652,7 +1650,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1668,8 +1666,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401175688Z", - "original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", + "ingested": "2021-06-09T10:11:23.658573900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -1683,8 +1681,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -1732,7 +1729,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1748,8 +1745,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401176978Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658575Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1768,8 +1765,7 @@ "mapped_source_ip": "100.66.80.32", "connection_id": "11758", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -1817,7 +1813,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1834,8 +1830,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401180163Z", - "original": "%ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", + "ingested": "2021-06-09T10:11:23.658576Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -1852,7 +1848,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11758", "source_interface": "outside" } @@ -1902,7 +1897,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1918,8 +1913,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401181454Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658577Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1938,8 +1933,7 @@ "mapped_source_ip": "100.66.252.6", "connection_id": "11759", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -1987,7 +1981,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2004,8 +1998,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401182894Z", - "original": "%ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", + "ingested": "2021-06-09T10:11:23.658578100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2022,7 +2016,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11759", "source_interface": "outside" } @@ -2071,7 +2064,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2087,8 +2080,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401184185Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", + "ingested": "2021-06-09T10:11:23.658579100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2102,8 +2095,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -2151,7 +2143,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2167,8 +2159,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401185480Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "ingested": "2021-06-09T10:11:23.658580100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2187,8 +2179,7 @@ "mapped_source_ip": "100.66.252.226", "connection_id": "11760", "source_interface": "outside", - "mapped_destination_port": 1773, - "message_id": "302013" + "mapped_destination_port": 1773 } } }, @@ -2235,7 +2226,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2251,8 +2242,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401195485Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", + "ingested": "2021-06-09T10:11:23.658581100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2266,8 +2257,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -2315,7 +2305,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2331,8 +2321,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401197268Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "ingested": "2021-06-09T10:11:23.658582100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2351,8 +2341,7 @@ "mapped_source_ip": "100.66.252.226", "connection_id": "11761", "source_interface": "outside", - "mapped_destination_port": 1774, - "message_id": "302013" + "mapped_destination_port": 1774 } } }, @@ -2400,7 +2389,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2416,8 +2405,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401198656Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658583100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2436,8 +2425,7 @@ "mapped_source_ip": "100.66.238.126", "connection_id": "11762", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -2485,7 +2473,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2501,8 +2489,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401199917Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658584200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2521,8 +2509,7 @@ "mapped_source_ip": "100.66.93.51", "connection_id": "11763", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -2570,7 +2557,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2587,8 +2574,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401201170Z", - "original": "%ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", + "ingested": "2021-06-09T10:11:23.658585200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2605,7 +2592,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11762", "source_interface": "outside" } @@ -2655,7 +2641,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2672,8 +2658,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401202430Z", - "original": "%ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", + "ingested": "2021-06-09T10:11:23.658586600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2690,7 +2676,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11763", "source_interface": "outside" } @@ -2739,7 +2724,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2755,8 +2740,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401203678Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", + "ingested": "2021-06-09T10:11:23.658587700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2770,8 +2755,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -2819,7 +2803,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2835,8 +2819,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401204928Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "ingested": "2021-06-09T10:11:23.658588700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2855,8 +2839,7 @@ "mapped_source_ip": "100.66.225.103", "connection_id": "11764", "source_interface": "outside", - "mapped_destination_port": 1775, - "message_id": "302013" + "mapped_destination_port": 1775 } } }, @@ -2903,7 +2886,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2919,8 +2902,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401206384Z", - "original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", + "ingested": "2021-06-09T10:11:23.658589800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2934,8 +2917,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -2983,7 +2965,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2999,8 +2981,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401207645Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658590800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3019,8 +3001,7 @@ "mapped_source_ip": "100.66.240.126", "connection_id": "11772", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -3068,7 +3049,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3084,8 +3065,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401208911Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658591800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3104,8 +3085,7 @@ "mapped_source_ip": "100.66.44.45", "connection_id": "11773", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -3153,7 +3133,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3170,8 +3150,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401210220Z", - "original": "%ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", + "ingested": "2021-06-09T10:11:23.658592800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3188,7 +3168,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11772", "source_interface": "outside" } @@ -3238,7 +3217,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3255,8 +3234,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401211478Z", - "original": "%ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", + "ingested": "2021-06-09T10:11:23.658594400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3273,7 +3252,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11773", "source_interface": "outside" } @@ -3322,7 +3300,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3338,8 +3316,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401212724Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", + "ingested": "2021-06-09T10:11:23.658595400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -3353,8 +3331,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -3402,7 +3379,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3418,8 +3395,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401214004Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "ingested": "2021-06-09T10:11:23.658596400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3438,8 +3415,7 @@ "mapped_source_ip": "100.66.179.219", "connection_id": "11774", "source_interface": "outside", - "mapped_destination_port": 1452, - "message_id": "302013" + "mapped_destination_port": 1452 } } }, @@ -3487,7 +3463,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3503,8 +3479,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401215259Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658597400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3523,8 +3499,7 @@ "mapped_source_ip": "100.66.157.232", "connection_id": "11775", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -3572,7 +3547,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3588,8 +3563,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401216527Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658598500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3608,8 +3583,7 @@ "mapped_source_ip": "100.66.178.133", "connection_id": "11776", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -3657,7 +3631,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3674,8 +3648,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401217788Z", - "original": "%ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", + "ingested": "2021-06-09T10:11:23.658599500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3692,7 +3666,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11775", "source_interface": "outside" } @@ -3742,7 +3715,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3759,8 +3732,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401219058Z", - "original": "%ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", + "ingested": "2021-06-09T10:11:23.658600500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3777,7 +3750,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11776", "source_interface": "outside" } @@ -3826,7 +3798,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3842,8 +3814,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401220339Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", + "ingested": "2021-06-09T10:11:23.658601500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -3857,8 +3829,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -3906,7 +3877,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3922,8 +3893,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401221587Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "ingested": "2021-06-09T10:11:23.658602500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3942,8 +3913,7 @@ "mapped_source_ip": "100.66.133.112", "connection_id": "11777", "source_interface": "outside", - "mapped_destination_port": 1453, - "message_id": "302013" + "mapped_destination_port": 1453 } } }, @@ -3991,7 +3961,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4008,8 +3978,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401222876Z", - "original": "%ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658603500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4026,7 +3997,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11777", "source_interface": "outside" } @@ -4076,7 +4046,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4092,8 +4062,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401224165Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658604500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -4112,8 +4082,7 @@ "mapped_source_ip": "100.66.204.197", "connection_id": "11779", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -4161,7 +4130,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4178,8 +4147,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401225432Z", - "original": "%ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-06-09T10:11:23.658605500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4196,7 +4165,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11778", "source_interface": "outside" } @@ -4246,7 +4214,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4263,8 +4231,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401226873Z", - "original": "%ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", + "ingested": "2021-06-09T10:11:23.658606600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4281,7 +4249,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11779", "source_interface": "outside" } @@ -4330,7 +4297,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4346,8 +4313,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401228136Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", + "ingested": "2021-06-09T10:11:23.658607600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4361,8 +4328,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -4410,7 +4376,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4426,8 +4392,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401229472Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "ingested": "2021-06-09T10:11:23.658608600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4446,8 +4412,7 @@ "mapped_source_ip": "100.66.128.3", "connection_id": "11780", "source_interface": "outside", - "mapped_destination_port": 1454, - "message_id": "302013" + "mapped_destination_port": 1454 } } }, @@ -4494,7 +4459,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4510,8 +4475,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401230726Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", + "ingested": "2021-06-09T10:11:23.658610Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4525,8 +4490,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -4574,7 +4538,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4590,8 +4554,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401231977Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "ingested": "2021-06-09T10:11:23.658611Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4610,8 +4574,7 @@ "mapped_source_ip": "100.66.128.3", "connection_id": "11781", "source_interface": "outside", - "mapped_destination_port": 1455, - "message_id": "302013" + "mapped_destination_port": 1455 } } }, @@ -4658,7 +4621,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4674,8 +4637,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401233227Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", + "ingested": "2021-06-09T10:11:23.658612100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4689,8 +4652,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -4738,7 +4700,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4754,8 +4716,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401234496Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "ingested": "2021-06-09T10:11:23.658613100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4774,8 +4736,7 @@ "mapped_source_ip": "100.66.128.3", "connection_id": "11782", "source_interface": "outside", - "mapped_destination_port": 1456, - "message_id": "302013" + "mapped_destination_port": 1456 } } }, @@ -4823,7 +4784,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4839,8 +4800,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401235806Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658614100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -4859,8 +4820,7 @@ "mapped_source_ip": "100.66.100.4", "connection_id": "11783", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -4908,7 +4868,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4925,8 +4885,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401237057Z", - "original": "%ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-06-09T10:11:23.658615100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4943,7 +4903,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11783", "source_interface": "outside" } @@ -4992,7 +4951,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5008,8 +4967,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401238321Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", + "ingested": "2021-06-09T10:11:23.658616100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5023,8 +4982,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -5072,7 +5030,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5088,8 +5046,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401239569Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "ingested": "2021-06-09T10:11:23.658617100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5108,8 +5066,7 @@ "mapped_source_ip": "100.66.198.40", "connection_id": "11784", "source_interface": "outside", - "mapped_destination_port": 1457, - "message_id": "302013" + "mapped_destination_port": 1457 } } }, @@ -5156,7 +5113,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5172,8 +5129,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401240823Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", + "ingested": "2021-06-09T10:11:23.658618200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5187,8 +5144,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -5236,7 +5192,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5252,8 +5208,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401242197Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "ingested": "2021-06-09T10:11:23.658619200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5272,8 +5228,7 @@ "mapped_source_ip": "100.66.198.40", "connection_id": "11785", "source_interface": "outside", - "mapped_destination_port": 1458, - "message_id": "302013" + "mapped_destination_port": 1458 } } }, @@ -5321,7 +5276,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5337,8 +5292,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401243455Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658620200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -5357,8 +5312,7 @@ "mapped_source_ip": "100.66.1.107", "connection_id": "11786", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -5406,7 +5360,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5423,8 +5377,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401249320Z", - "original": "%ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658621200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -5441,7 +5396,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11784", "source_interface": "outside" } @@ -5490,7 +5444,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5506,8 +5460,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401250661Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", + "ingested": "2021-06-09T10:11:23.658622200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5521,8 +5475,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -5570,7 +5523,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5586,8 +5539,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401251934Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "ingested": "2021-06-09T10:11:23.658623200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5606,8 +5559,7 @@ "mapped_source_ip": "100.66.198.40", "connection_id": "11787", "source_interface": "outside", - "mapped_destination_port": 1459, - "message_id": "302013" + "mapped_destination_port": 1459 } } }, @@ -5655,7 +5607,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5672,8 +5624,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401253262Z", - "original": "%ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", + "ingested": "2021-06-09T10:11:23.658624200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -5690,7 +5642,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11786", "source_interface": "outside" } @@ -5739,7 +5690,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5755,8 +5706,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401254571Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", + "ingested": "2021-06-09T10:11:23.658625600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5770,8 +5721,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -5819,7 +5769,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5835,8 +5785,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401255829Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "ingested": "2021-06-09T10:11:23.658626600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5855,8 +5805,7 @@ "mapped_source_ip": "100.66.192.44", "connection_id": "11788", "source_interface": "outside", - "mapped_destination_port": 1460, - "message_id": "302013" + "mapped_destination_port": 1460 } } }, @@ -5879,7 +5828,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5891,8 +5840,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401257093Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658627600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -5904,9 +5853,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -5952,7 +5899,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -5968,8 +5915,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401258338Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", + "ingested": "2021-06-09T10:11:23.658628600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5983,8 +5930,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -6032,7 +5978,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6048,8 +5994,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401259588Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "ingested": "2021-06-09T10:11:23.658629600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -6068,8 +6014,7 @@ "mapped_source_ip": "100.66.19.254", "connection_id": "11797", "source_interface": "outside", - "mapped_destination_port": 1385, - "message_id": "302013" + "mapped_destination_port": 1385 } } }, @@ -6092,7 +6037,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6104,8 +6049,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401260863Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658630700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6117,9 +6062,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -6141,7 +6084,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6153,8 +6096,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401262287Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658631700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6166,9 +6109,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -6190,7 +6131,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6202,8 +6143,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401263565Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658632800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6215,9 +6156,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -6239,7 +6178,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6251,8 +6190,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401264814Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658633800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6264,9 +6203,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -6288,7 +6225,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6300,8 +6237,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401266070Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658634800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6313,9 +6250,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -6337,7 +6272,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6349,8 +6284,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401267332Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658635800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6362,9 +6297,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -6411,7 +6344,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6428,8 +6361,9 @@ "event": { "severity": 6, "duration": 325000000000, - "ingested": "2021-06-03T06:53:21.401268588Z", - "original": "%ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658636800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:29:31.000Z", @@ -6446,7 +6380,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11564", "source_interface": "outside" } @@ -6496,7 +6429,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6513,8 +6446,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401270850Z", - "original": "%ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658637900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -6531,7 +6465,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11797", "source_interface": "outside" } @@ -6580,7 +6513,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6596,8 +6529,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401272165Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", + "ingested": "2021-06-09T10:11:23.658638900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -6611,8 +6544,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -6660,7 +6592,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6676,8 +6608,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401273419Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "ingested": "2021-06-09T10:11:23.658639900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -6696,8 +6628,7 @@ "mapped_source_ip": "100.66.115.46", "connection_id": "11798", "source_interface": "outside", - "mapped_destination_port": 1386, - "message_id": "302013" + "mapped_destination_port": 1386 } } }, @@ -6744,7 +6675,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6760,8 +6691,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401274670Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658640900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6772,12 +6703,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -6826,7 +6756,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6842,8 +6772,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401275923Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658641900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6854,12 +6784,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -6908,7 +6837,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -6924,8 +6853,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401277190Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658642900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6936,12 +6865,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -6990,7 +6918,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7006,8 +6934,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401278450Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658643900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7018,12 +6946,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7072,7 +6999,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7088,8 +7015,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401279717Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658644900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7100,12 +7027,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7154,7 +7080,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7170,8 +7096,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401280975Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658646Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7182,12 +7108,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7236,7 +7161,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7252,8 +7177,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401282235Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658647Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7264,12 +7189,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7318,7 +7242,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7334,8 +7258,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401283518Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658648Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7346,12 +7270,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7400,7 +7323,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7416,8 +7339,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401284774Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658649Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7428,12 +7351,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7482,7 +7404,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7498,8 +7420,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401286057Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658650Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7510,12 +7432,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7564,7 +7485,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7580,8 +7501,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401287319Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658651Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7592,12 +7513,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7646,7 +7566,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7662,8 +7582,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401288574Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658652Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7674,12 +7594,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7728,7 +7647,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7744,8 +7663,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401289860Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658653Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7756,12 +7675,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -7810,7 +7728,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7826,8 +7744,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401291129Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", + "ingested": "2021-06-09T10:11:23.658654100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -7841,8 +7759,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -7890,7 +7807,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7906,8 +7823,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401292400Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "ingested": "2021-06-09T10:11:23.658655100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -7926,8 +7843,7 @@ "mapped_source_ip": "100.66.205.99", "connection_id": "11799", "source_interface": "outside", - "mapped_destination_port": 1275, - "message_id": "302013" + "mapped_destination_port": 1275 } } }, @@ -7974,7 +7890,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -7990,8 +7906,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401293719Z", - "original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", + "ingested": "2021-06-09T10:11:23.658691200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8005,8 +7921,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -8054,7 +7969,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8070,8 +7985,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401294995Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658692500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -8090,8 +8005,7 @@ "mapped_source_ip": "100.66.14.30", "connection_id": "11800", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -8139,7 +8053,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8156,8 +8070,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401296267Z", - "original": "%ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", + "ingested": "2021-06-09T10:11:23.658693700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8174,7 +8088,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11800", "source_interface": "outside" } @@ -8224,7 +8137,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8240,8 +8153,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401297542Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658694800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -8260,8 +8173,7 @@ "mapped_source_ip": "100.66.252.210", "connection_id": "11801", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -8309,7 +8221,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8326,8 +8238,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401298799Z", - "original": "%ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", + "ingested": "2021-06-09T10:11:23.658695900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8344,7 +8256,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11801", "source_interface": "outside" } @@ -8393,7 +8304,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8409,8 +8320,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401300145Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280", + "ingested": "2021-06-09T10:11:23.658696900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8424,8 +8335,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -8473,7 +8383,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8489,8 +8399,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401301419Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", + "ingested": "2021-06-09T10:11:23.658698Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8509,8 +8419,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11802", "source_interface": "outside", - "mapped_destination_port": 1276, - "message_id": "302013" + "mapped_destination_port": 1276 } } }, @@ -8557,7 +8466,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8573,8 +8482,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401302673Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281", + "ingested": "2021-06-09T10:11:23.658698900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8588,8 +8497,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -8637,7 +8545,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8653,8 +8561,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401303928Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", + "ingested": "2021-06-09T10:11:23.658699900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8673,8 +8581,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11803", "source_interface": "outside", - "mapped_destination_port": 1277, - "message_id": "302013" + "mapped_destination_port": 1277 } } }, @@ -8722,7 +8629,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8739,8 +8646,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401305188Z", - "original": "%ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658700900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8757,7 +8665,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11802", "source_interface": "outside" } @@ -8806,7 +8713,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8822,8 +8729,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401306450Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282", + "ingested": "2021-06-09T10:11:23.658701900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8837,8 +8744,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -8886,7 +8792,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8902,8 +8808,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401307727Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", + "ingested": "2021-06-09T10:11:23.658702900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8922,8 +8828,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11804", "source_interface": "outside", - "mapped_destination_port": 1278, - "message_id": "302013" + "mapped_destination_port": 1278 } } }, @@ -8971,7 +8876,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -8988,8 +8893,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401309113Z", - "original": "%ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658704Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9006,7 +8912,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11803", "source_interface": "outside" } @@ -9055,7 +8960,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9071,8 +8976,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401310493Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283", + "ingested": "2021-06-09T10:11:23.658705Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9086,8 +8991,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -9135,7 +9039,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9151,8 +9055,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401311751Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", + "ingested": "2021-06-09T10:11:23.658706Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9171,8 +9075,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11805", "source_interface": "outside", - "mapped_destination_port": 1279, - "message_id": "302013" + "mapped_destination_port": 1279 } } }, @@ -9220,7 +9123,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9237,8 +9140,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401313023Z", - "original": "%ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658707100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9255,7 +9159,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11804", "source_interface": "outside" } @@ -9305,7 +9208,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9322,8 +9225,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401314284Z", - "original": "%ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658708100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9340,7 +9244,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11805", "source_interface": "outside" } @@ -9389,7 +9292,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9405,8 +9308,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401315546Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284", + "ingested": "2021-06-09T10:11:23.658709100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9420,8 +9323,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -9469,7 +9371,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9485,8 +9387,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401316804Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", + "ingested": "2021-06-09T10:11:23.658710100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9505,8 +9407,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11806", "source_interface": "outside", - "mapped_destination_port": 1280, - "message_id": "302013" + "mapped_destination_port": 1280 } } }, @@ -9554,7 +9455,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9571,8 +9472,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401318075Z", - "original": "%ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658711500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9589,7 +9491,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11806", "source_interface": "outside" } @@ -9638,7 +9539,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9654,8 +9555,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401319352Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285", + "ingested": "2021-06-09T10:11:23.658712500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9669,8 +9570,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -9718,7 +9618,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9734,8 +9634,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401320608Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", + "ingested": "2021-06-09T10:11:23.658713600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9754,8 +9654,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11807", "source_interface": "outside", - "mapped_destination_port": 1281, - "message_id": "302013" + "mapped_destination_port": 1281 } } }, @@ -9802,7 +9701,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9818,8 +9717,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401321866Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286", + "ingested": "2021-06-09T10:11:23.658714600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9833,8 +9732,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -9882,7 +9780,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9898,8 +9796,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401323144Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", + "ingested": "2021-06-09T10:11:23.658715600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9918,8 +9816,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11808", "source_interface": "outside", - "mapped_destination_port": 1282, - "message_id": "302013" + "mapped_destination_port": 1282 } } }, @@ -9966,7 +9863,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -9982,8 +9879,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401324453Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287", + "ingested": "2021-06-09T10:11:23.658716600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9997,8 +9894,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -10046,7 +9942,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10062,8 +9958,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401325878Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", + "ingested": "2021-06-09T10:11:23.658717600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10082,8 +9978,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11809", "source_interface": "outside", - "mapped_destination_port": 1283, - "message_id": "302013" + "mapped_destination_port": 1283 } } }, @@ -10130,7 +10025,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10146,8 +10041,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401327132Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288", + "ingested": "2021-06-09T10:11:23.658718600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10161,8 +10056,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -10210,7 +10104,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10226,8 +10120,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401328383Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", + "ingested": "2021-06-09T10:11:23.658719600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10246,8 +10140,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11810", "source_interface": "outside", - "mapped_destination_port": 1284, - "message_id": "302013" + "mapped_destination_port": 1284 } } }, @@ -10295,7 +10188,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10312,8 +10205,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401329638Z", - "original": "%ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658720600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10330,7 +10224,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11807", "source_interface": "outside" } @@ -10380,7 +10273,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10397,8 +10290,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401330916Z", - "original": "%ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658721600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10415,7 +10309,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11808", "source_interface": "outside" } @@ -10465,7 +10358,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10482,8 +10375,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401332206Z", - "original": "%ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658722600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10500,7 +10394,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11809", "source_interface": "outside" } @@ -10549,7 +10442,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10565,8 +10458,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401333461Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289", + "ingested": "2021-06-09T10:11:23.658723500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10580,8 +10473,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -10629,7 +10521,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10645,8 +10537,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401334720Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", + "ingested": "2021-06-09T10:11:23.658724500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10665,8 +10557,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11811", "source_interface": "outside", - "mapped_destination_port": 1285, - "message_id": "302013" + "mapped_destination_port": 1285 } } }, @@ -10713,7 +10604,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10729,8 +10620,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401335983Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290", + "ingested": "2021-06-09T10:11:23.658725500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10744,8 +10635,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -10793,7 +10683,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10809,8 +10699,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401337631Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", + "ingested": "2021-06-09T10:11:23.658726500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10829,8 +10719,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11812", "source_interface": "outside", - "mapped_destination_port": 1286, - "message_id": "302013" + "mapped_destination_port": 1286 } } }, @@ -10878,7 +10767,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10895,8 +10784,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401339027Z", - "original": "%ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658727500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10913,7 +10803,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11810", "source_interface": "outside" } @@ -10962,7 +10851,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -10978,8 +10867,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401340288Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291", + "ingested": "2021-06-09T10:11:23.658728500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10993,8 +10882,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -11042,7 +10930,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11058,8 +10946,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401341543Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", + "ingested": "2021-06-09T10:11:23.658729500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -11078,8 +10966,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11813", "source_interface": "outside", - "mapped_destination_port": 1287, - "message_id": "302013" + "mapped_destination_port": 1287 } } }, @@ -11127,7 +11014,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11144,8 +11031,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401342811Z", - "original": "%ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658730500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11162,7 +11050,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11811", "source_interface": "outside" } @@ -11212,7 +11099,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11229,8 +11116,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401344940Z", - "original": "%ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658731400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11247,7 +11135,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11812", "source_interface": "outside" } @@ -11297,7 +11184,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11313,8 +11200,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401347448Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658732500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -11333,8 +11220,7 @@ "mapped_source_ip": "100.66.100.107", "connection_id": "11814", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -11381,7 +11267,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11397,8 +11283,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401348809Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292", + "ingested": "2021-06-09T10:11:23.658733500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -11412,8 +11298,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -11461,7 +11346,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11477,8 +11362,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401350450Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", + "ingested": "2021-06-09T10:11:23.658735Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -11497,8 +11382,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11815", "source_interface": "outside", - "mapped_destination_port": 1288, - "message_id": "302013" + "mapped_destination_port": 1288 } } }, @@ -11546,7 +11430,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11563,8 +11447,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401351737Z", - "original": "%ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", + "ingested": "2021-06-09T10:11:23.658735900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11581,7 +11465,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11814", "source_interface": "outside" } @@ -11631,7 +11514,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11647,8 +11530,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401353003Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658736900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -11667,8 +11550,7 @@ "mapped_source_ip": "100.66.104.8", "connection_id": "11816", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -11716,7 +11598,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11733,8 +11615,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401354274Z", - "original": "%ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", + "ingested": "2021-06-09T10:11:23.658737900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11751,7 +11633,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11816", "source_interface": "outside" } @@ -11800,7 +11681,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11816,8 +11697,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401355539Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293", + "ingested": "2021-06-09T10:11:23.658738900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -11831,8 +11712,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -11880,7 +11760,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11896,8 +11776,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401356806Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", + "ingested": "2021-06-09T10:11:23.658739900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -11916,8 +11796,7 @@ "mapped_source_ip": "100.66.123.191", "connection_id": "11817", "source_interface": "outside", - "mapped_destination_port": 1289, - "message_id": "302013" + "mapped_destination_port": 1289 } } }, @@ -11965,7 +11844,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -11982,8 +11861,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401358065Z", - "original": "%ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658740900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12000,7 +11880,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11815", "source_interface": "outside" } @@ -12050,7 +11929,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12067,8 +11946,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401359320Z", - "original": "%ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658741800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12085,7 +11965,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11813", "source_interface": "outside" } @@ -12135,7 +12014,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12151,8 +12030,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401360591Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658743Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12171,8 +12050,7 @@ "mapped_source_ip": "100.66.100.4", "connection_id": "11818", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -12220,7 +12098,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12237,8 +12115,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401361858Z", - "original": "%ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-06-09T10:11:23.658743900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12255,7 +12133,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11818", "source_interface": "outside" } @@ -12304,7 +12181,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12320,8 +12197,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401363123Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294", + "ingested": "2021-06-09T10:11:23.658744900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -12335,8 +12212,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -12384,7 +12260,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12400,8 +12276,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401364400Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", + "ingested": "2021-06-09T10:11:23.658745900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -12420,8 +12296,7 @@ "mapped_source_ip": "100.66.198.25", "connection_id": "11819", "source_interface": "outside", - "mapped_destination_port": 1290, - "message_id": "302013" + "mapped_destination_port": 1290 } } }, @@ -12469,7 +12344,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12486,8 +12361,8 @@ "event": { "severity": 6, "duration": 3526000000000, - "ingested": "2021-06-03T06:53:21.401365667Z", - "original": "%ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", + "ingested": "2021-06-09T10:11:23.658746900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", "code": "302016", "kind": "event", "start": "2018-10-10T11:36:10.000Z", @@ -12504,7 +12379,6 @@ "cisco": { "ftd": { "destination_interface": "NP Identity Ifc", - "message_id": "302016", "connection_id": "9828", "source_interface": "outside" } @@ -12529,7 +12403,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12541,8 +12415,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401366920Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658747800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -12554,9 +12428,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -12603,7 +12475,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12619,8 +12491,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401368189Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658748800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12639,8 +12511,7 @@ "mapped_source_ip": "100.66.3.39", "connection_id": "11820", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -12688,7 +12559,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12704,8 +12575,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401369442Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658749800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12724,8 +12595,7 @@ "mapped_source_ip": "100.66.162.30", "connection_id": "11821", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -12773,7 +12643,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12790,8 +12660,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401370715Z", - "original": "%ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", + "ingested": "2021-06-09T10:11:23.658750900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12808,7 +12678,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11820", "source_interface": "outside" } @@ -12858,7 +12727,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12874,8 +12743,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401371977Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658751900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12894,8 +12763,7 @@ "mapped_source_ip": "100.66.3.39", "connection_id": "11822", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -12943,7 +12811,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -12960,8 +12828,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401373233Z", - "original": "%ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", + "ingested": "2021-06-09T10:11:23.658752800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12978,7 +12846,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11821", "source_interface": "outside" } @@ -13028,7 +12895,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13045,8 +12912,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401374492Z", - "original": "%ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "ingested": "2021-06-09T10:11:23.658753900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -13063,7 +12930,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11822", "source_interface": "outside" } @@ -13113,7 +12979,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13129,8 +12995,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401375743Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658754800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -13149,8 +13015,7 @@ "mapped_source_ip": "100.66.48.186", "connection_id": "11823", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -13198,7 +13063,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13215,8 +13080,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401376989Z", - "original": "%ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", + "ingested": "2021-06-09T10:11:23.658755800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -13233,7 +13098,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11823", "source_interface": "outside" } @@ -13282,7 +13146,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13298,8 +13162,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401378243Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295", + "ingested": "2021-06-09T10:11:23.658756800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13313,8 +13177,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -13362,7 +13225,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13378,8 +13241,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401379503Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", + "ingested": "2021-06-09T10:11:23.658758400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13398,8 +13261,7 @@ "mapped_source_ip": "100.66.54.190", "connection_id": "11824", "source_interface": "outside", - "mapped_destination_port": 1291, - "message_id": "302013" + "mapped_destination_port": 1291 } } }, @@ -13447,7 +13309,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13463,8 +13325,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401380925Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658759400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -13483,8 +13345,7 @@ "mapped_source_ip": "100.66.254.94", "connection_id": "11825", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -13532,7 +13393,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13549,8 +13410,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401382305Z", - "original": "%ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", + "ingested": "2021-06-09T10:11:23.658760400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -13567,7 +13428,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11825", "source_interface": "outside" } @@ -13616,7 +13476,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13632,8 +13492,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401383625Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296", + "ingested": "2021-06-09T10:11:23.658761400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13647,8 +13507,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -13696,7 +13555,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13712,8 +13571,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401384871Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", + "ingested": "2021-06-09T10:11:23.658762400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13732,8 +13591,7 @@ "mapped_source_ip": "100.66.54.190", "connection_id": "11826", "source_interface": "outside", - "mapped_destination_port": 1292, - "message_id": "302013" + "mapped_destination_port": 1292 } } }, @@ -13780,7 +13638,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13796,8 +13654,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401386127Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297", + "ingested": "2021-06-09T10:11:23.658763400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13811,8 +13669,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -13860,7 +13717,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13876,8 +13733,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401387394Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", + "ingested": "2021-06-09T10:11:23.658764400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13896,8 +13753,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11827", "source_interface": "outside", - "mapped_destination_port": 1293, - "message_id": "302013" + "mapped_destination_port": 1293 } } }, @@ -13944,7 +13800,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -13960,8 +13816,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401388642Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298", + "ingested": "2021-06-09T10:11:23.658765400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13975,8 +13831,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -14024,7 +13879,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14040,8 +13895,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401389961Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", + "ingested": "2021-06-09T10:11:23.658766300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14060,8 +13915,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11828", "source_interface": "outside", - "mapped_destination_port": 1294, - "message_id": "302013" + "mapped_destination_port": 1294 } } }, @@ -14109,7 +13963,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14126,8 +13980,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401391298Z", - "original": "%ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658767300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14144,7 +13999,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11827", "source_interface": "outside" } @@ -14193,7 +14047,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14209,8 +14063,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401392554Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299", + "ingested": "2021-06-09T10:11:23.658769700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14224,8 +14078,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -14273,7 +14126,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14289,8 +14142,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401393827Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", + "ingested": "2021-06-09T10:11:23.658770700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14309,8 +14162,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11829", "source_interface": "outside", - "mapped_destination_port": 1295, - "message_id": "302013" + "mapped_destination_port": 1295 } } }, @@ -14357,7 +14209,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14373,8 +14225,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401395087Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300", + "ingested": "2021-06-09T10:11:23.658771700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14388,8 +14240,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -14437,7 +14288,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14453,8 +14304,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401396348Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", + "ingested": "2021-06-09T10:11:23.658772700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14473,8 +14324,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11830", "source_interface": "outside", - "mapped_destination_port": 1296, - "message_id": "302013" + "mapped_destination_port": 1296 } } }, @@ -14522,7 +14372,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14539,8 +14389,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401397616Z", - "original": "%ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658774Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14557,7 +14408,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11828", "source_interface": "outside" } @@ -14607,7 +14457,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14624,8 +14474,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401398884Z", - "original": "%ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658775Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14642,7 +14493,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11829", "source_interface": "outside" } @@ -14692,7 +14542,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14709,8 +14559,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401400139Z", - "original": "%ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658776Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14727,7 +14578,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11830", "source_interface": "outside" } @@ -14776,7 +14626,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14792,8 +14642,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401401398Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301", + "ingested": "2021-06-09T10:11:23.658777Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14807,8 +14657,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -14856,7 +14705,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14872,8 +14721,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401402647Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", + "ingested": "2021-06-09T10:11:23.658778Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14892,8 +14741,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11831", "source_interface": "outside", - "mapped_destination_port": 1297, - "message_id": "302013" + "mapped_destination_port": 1297 } } }, @@ -14940,7 +14788,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -14956,8 +14804,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401403942Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302", + "ingested": "2021-06-09T10:11:23.658778900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14971,8 +14819,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -15020,7 +14867,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15036,8 +14883,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401405213Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", + "ingested": "2021-06-09T10:11:23.658779900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15056,8 +14903,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11832", "source_interface": "outside", - "mapped_destination_port": 1298, - "message_id": "302013" + "mapped_destination_port": 1298 } } }, @@ -15105,7 +14951,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15121,8 +14967,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401406467Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658780900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -15141,8 +14987,7 @@ "mapped_source_ip": "100.66.179.9", "connection_id": "11833", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -15190,7 +15035,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15207,8 +15052,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401408811Z", - "original": "%ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "ingested": "2021-06-09T10:11:23.658782Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15225,7 +15070,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11833", "source_interface": "outside" } @@ -15275,7 +15119,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15292,8 +15136,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401410100Z", - "original": "%ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658783Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15310,7 +15155,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11831", "source_interface": "outside" } @@ -15359,7 +15203,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15375,8 +15219,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401411400Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303", + "ingested": "2021-06-09T10:11:23.658784Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15390,8 +15234,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -15439,7 +15282,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15455,8 +15298,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401412662Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", + "ingested": "2021-06-09T10:11:23.658785Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15475,8 +15318,7 @@ "mapped_source_ip": "100.66.247.99", "connection_id": "11834", "source_interface": "outside", - "mapped_destination_port": 1299, - "message_id": "302013" + "mapped_destination_port": 1299 } } }, @@ -15523,7 +15365,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15539,8 +15381,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401413925Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304", + "ingested": "2021-06-09T10:11:23.658786Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15554,8 +15396,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -15603,7 +15444,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15619,8 +15460,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401415195Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", + "ingested": "2021-06-09T10:11:23.658787Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15639,8 +15480,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11835", "source_interface": "outside", - "mapped_destination_port": 1300, - "message_id": "302013" + "mapped_destination_port": 1300 } } }, @@ -15688,7 +15528,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15705,8 +15545,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401416454Z", - "original": "%ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658788Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15723,7 +15564,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11832", "source_interface": "outside" } @@ -15773,7 +15613,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15790,8 +15630,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401417731Z", - "original": "%ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:23.658789Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15808,7 +15649,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11835", "source_interface": "outside" } @@ -15857,7 +15697,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15873,8 +15713,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401418999Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305", + "ingested": "2021-06-09T10:11:23.658789900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15888,8 +15728,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -15937,7 +15776,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -15953,8 +15792,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401420255Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", + "ingested": "2021-06-09T10:11:23.658790900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15973,8 +15812,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11836", "source_interface": "outside", - "mapped_destination_port": 1301, - "message_id": "302013" + "mapped_destination_port": 1301 } } }, @@ -16021,7 +15859,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16037,8 +15875,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401421523Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306", + "ingested": "2021-06-09T10:11:23.658791900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -16052,8 +15890,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -16101,7 +15938,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16117,8 +15954,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401422785Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", + "ingested": "2021-06-09T10:11:23.658792900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -16137,8 +15974,7 @@ "mapped_source_ip": "100.66.98.165", "connection_id": "11837", "source_interface": "outside", - "mapped_destination_port": 1302, - "message_id": "302013" + "mapped_destination_port": 1302 } } }, @@ -16161,7 +15997,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16173,8 +16009,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401424043Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658793900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16186,9 +16022,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16210,7 +16044,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16222,8 +16056,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401425320Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658794800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16235,9 +16069,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16259,7 +16091,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16271,8 +16103,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401426578Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658795800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16284,9 +16116,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16308,7 +16138,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16320,8 +16150,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401427835Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658796900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16333,9 +16163,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16357,7 +16185,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16369,8 +16197,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401429118Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658797900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16382,9 +16210,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16406,7 +16232,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16418,8 +16244,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401430383Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658798900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16431,9 +16257,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16455,7 +16279,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16467,8 +16291,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401431650Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658799800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16480,9 +16304,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16504,7 +16326,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16516,8 +16338,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401432924Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658800800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16529,9 +16351,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16553,7 +16373,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16565,8 +16385,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401435269Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658801900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16578,9 +16398,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16602,7 +16420,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16614,8 +16432,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401436695Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658802900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16627,9 +16445,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16651,7 +16467,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16663,8 +16479,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401438005Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658803800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16676,9 +16492,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16700,7 +16514,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16712,8 +16526,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401439296Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658804900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16725,9 +16539,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16749,7 +16561,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16761,8 +16573,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401440561Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658805900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16774,9 +16586,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16798,7 +16608,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16810,8 +16620,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401441819Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658807200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16823,9 +16633,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16847,7 +16655,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16859,8 +16667,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401443088Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658808100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16872,9 +16680,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -16920,7 +16726,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -16936,8 +16742,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401444458Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308", + "ingested": "2021-06-09T10:11:23.658809100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -16951,8 +16757,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -17000,7 +16805,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17016,8 +16821,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401445815Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", + "ingested": "2021-06-09T10:11:23.658810100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -17036,8 +16841,7 @@ "mapped_source_ip": "100.66.205.99", "connection_id": "11840", "source_interface": "outside", - "mapped_destination_port": 1304, - "message_id": "302013" + "mapped_destination_port": 1304 } } }, @@ -17060,7 +16864,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17072,8 +16876,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401447153Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658811100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17085,9 +16889,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -17109,7 +16911,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17121,8 +16923,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401448428Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658812100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17134,9 +16936,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -17183,7 +16983,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17199,8 +16999,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401449697Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658813100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -17219,8 +17019,7 @@ "mapped_source_ip": "100.66.0.124", "connection_id": "11841", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -17268,7 +17067,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17284,8 +17083,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401450994Z", - "original": "%ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-06-09T10:11:23.658814100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -17304,8 +17103,7 @@ "mapped_source_ip": "100.66.160.2", "connection_id": "11842", "source_interface": "outside", - "mapped_destination_port": 56132, - "message_id": "302015" + "mapped_destination_port": 56132 } } }, @@ -17353,7 +17151,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17370,8 +17168,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401452277Z", - "original": "%ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", + "ingested": "2021-06-09T10:11:23.658815Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -17388,7 +17186,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11841", "source_interface": "outside" } @@ -17438,7 +17235,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17455,8 +17252,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:21.401453533Z", - "original": "%ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-06-09T10:11:23.658816100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -17473,7 +17270,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "11842", "source_interface": "outside" } @@ -17522,7 +17318,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17538,8 +17334,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401454795Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309", + "ingested": "2021-06-09T10:11:23.658817Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -17553,8 +17349,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -17602,7 +17397,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17618,8 +17413,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401456073Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", + "ingested": "2021-06-09T10:11:23.658818Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -17638,8 +17433,7 @@ "mapped_source_ip": "100.66.124.24", "connection_id": "11843", "source_interface": "outside", - "mapped_destination_port": 1305, - "message_id": "302013" + "mapped_destination_port": 1305 } } }, @@ -17662,7 +17456,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17674,8 +17468,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401457334Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658819Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17687,9 +17481,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -17711,7 +17503,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17723,8 +17515,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401458610Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658820Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17736,9 +17528,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -17760,7 +17550,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17772,8 +17562,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401459880Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658821Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17785,9 +17575,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -17809,7 +17597,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17821,8 +17609,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401461146Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658822Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17834,9 +17622,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -17858,7 +17644,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17870,8 +17656,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401462416Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658823Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17883,9 +17669,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -17907,7 +17691,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17919,8 +17703,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401463685Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658824Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17932,9 +17716,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -17956,7 +17738,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -17968,8 +17750,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401464956Z", - "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30", + "ingested": "2021-06-09T10:11:23.658825Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17981,9 +17763,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "305012" - } + "ftd": {} } }, { @@ -18030,7 +17810,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18047,8 +17827,9 @@ "event": { "severity": 6, "duration": 4000000000, - "ingested": "2021-06-03T06:53:21.401466256Z", - "original": "%ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", + "reason": "TCP Reset-I", + "ingested": "2021-06-09T10:11:23.658825900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:52.000Z", @@ -18065,7 +17846,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302014", "connection_id": "11843", "source_interface": "outside" } @@ -18114,7 +17894,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18130,8 +17910,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401467630Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658827Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18142,12 +17922,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18196,7 +17975,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18212,8 +17991,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401468900Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658827900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18224,12 +18003,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18278,7 +18056,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18294,8 +18072,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401470190Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658828900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18306,12 +18084,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18360,7 +18137,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18376,8 +18153,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401471460Z", - "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310", + "ingested": "2021-06-09T10:11:23.658829900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -18391,8 +18168,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -18440,7 +18216,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18456,8 +18232,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:21.401472808Z", - "original": "%ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", + "ingested": "2021-06-09T10:11:23.658830900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -18476,8 +18252,7 @@ "mapped_source_ip": "100.66.124.24", "connection_id": "11844", "source_interface": "outside", - "mapped_destination_port": 1306, - "message_id": "302013" + "mapped_destination_port": 1306 } } }, @@ -18524,7 +18299,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18540,8 +18315,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401474149Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658831900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18552,12 +18327,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18606,7 +18380,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18622,8 +18396,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401475405Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658832800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18634,12 +18408,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18688,7 +18461,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18704,8 +18477,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401476667Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658833800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18716,12 +18489,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18770,7 +18542,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18786,8 +18558,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401479133Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658834800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18798,12 +18570,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18852,7 +18623,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18868,8 +18639,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401480573Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658835800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18880,12 +18651,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -18934,7 +18704,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -18950,8 +18720,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401481958Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658836800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18962,12 +18732,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19016,7 +18785,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19032,8 +18801,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401483343Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658837800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19044,12 +18813,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19098,7 +18866,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19114,8 +18882,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401484664Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658838800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19126,12 +18894,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19180,7 +18947,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19196,8 +18963,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401485981Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658839800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19208,12 +18975,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19262,7 +19028,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19278,8 +19044,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401487368Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658840800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19290,12 +19056,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19344,7 +19109,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19360,8 +19125,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401489106Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658841800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19372,12 +19137,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19426,7 +19190,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19442,8 +19206,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401490430Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658842800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19454,12 +19218,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19508,7 +19271,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19524,8 +19287,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401491748Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658843800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19536,12 +19299,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19590,7 +19352,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19606,8 +19368,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401493068Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658844800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19618,12 +19380,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19672,7 +19433,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19688,8 +19449,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401494391Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658845800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19700,12 +19461,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19754,7 +19514,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19770,8 +19530,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401495778Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658846800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19782,12 +19542,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19836,7 +19595,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19852,8 +19611,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401497093Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658847800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19864,12 +19623,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -19918,7 +19676,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -19934,8 +19692,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401498428Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658861900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19946,12 +19704,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20000,7 +19757,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20016,8 +19773,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401499769Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658863200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20028,12 +19785,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20082,7 +19838,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20098,8 +19854,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401501081Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658864400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20110,12 +19866,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20164,7 +19919,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20180,8 +19935,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401502399Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658865400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20192,12 +19947,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20246,7 +20000,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20262,8 +20016,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401503764Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658866400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20274,12 +20028,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20328,7 +20081,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20344,8 +20097,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401505084Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658867800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20356,12 +20109,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20410,7 +20162,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20426,8 +20178,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401506427Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658868700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20438,12 +20190,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20492,7 +20243,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20508,8 +20259,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401507743Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658869800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20520,12 +20271,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20574,7 +20324,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20590,8 +20340,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401509079Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658870800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20602,12 +20352,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20656,7 +20405,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20672,8 +20421,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401510442Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658871800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20684,12 +20433,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20738,7 +20486,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20754,8 +20502,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401511772Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658872800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20766,12 +20514,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20820,7 +20567,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20836,8 +20583,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401513084Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658873800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20848,12 +20595,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20902,7 +20648,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -20918,8 +20664,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401514411Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658874800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20930,12 +20676,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -20984,7 +20729,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -21000,8 +20745,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401515731Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658875800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -21012,12 +20757,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -21066,7 +20810,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -21082,8 +20826,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401517101Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658878200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -21094,12 +20838,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } @@ -21148,7 +20891,7 @@ }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -21164,8 +20907,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:21.401518432Z", - "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-06-09T10:11:23.658879200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -21176,12 +20919,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "inbound", "source_interface": "outside" } diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json index e9a7ea7663a..1ce8e79ad0b 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json @@ -67,7 +67,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -87,8 +87,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100780315Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", + "ingested": "2021-06-09T10:11:31.564034900Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -102,7 +102,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -138,7 +138,6 @@ "responder_bytes": "145", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -214,7 +213,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -234,8 +233,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100786966Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", + "ingested": "2021-06-09T10:11:31.564039800Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -249,7 +248,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -287,7 +286,6 @@ "responder_bytes": "193", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -363,7 +361,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -383,8 +381,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100788497Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", + "ingested": "2021-06-09T10:11:31.564042600Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -398,7 +396,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -434,7 +432,6 @@ "responder_bytes": "166", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -510,7 +507,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -530,8 +527,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100792493Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", + "ingested": "2021-06-09T10:11:31.564043600Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -545,7 +542,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -583,7 +580,6 @@ "responder_bytes": "200", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -659,7 +655,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -679,8 +675,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100794079Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", + "ingested": "2021-06-09T10:11:31.564044600Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -694,7 +690,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -731,7 +727,6 @@ "dns_response_type": "No error", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -807,7 +802,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -827,8 +822,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100795441Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", + "ingested": "2021-06-09T10:11:31.564045600Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -842,7 +837,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -878,7 +873,6 @@ "responder_bytes": "166", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -954,7 +948,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -974,8 +968,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100796809Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", + "ingested": "2021-06-09T10:11:31.564046500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -989,7 +983,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -1028,7 +1022,6 @@ "dns_response_type": "Non-Existent Domain", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -1104,7 +1097,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1124,8 +1117,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100798199Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", + "ingested": "2021-06-09T10:11:31.564047500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1139,7 +1132,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -1175,7 +1168,6 @@ "responder_bytes": "221", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -1251,7 +1243,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1271,8 +1263,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100799517Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", + "ingested": "2021-06-09T10:11:31.564048500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1286,7 +1278,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -1323,7 +1315,6 @@ "dns_response_type": "Server Failure", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -1399,7 +1390,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1419,8 +1410,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100800836Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", + "ingested": "2021-06-09T10:11:31.564049400Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1434,7 +1425,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -1472,7 +1463,6 @@ "responder_bytes": "722", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -1551,7 +1541,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1571,8 +1561,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100802168Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 205.251.196.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", + "ingested": "2021-06-09T10:11:31.564050500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 205.251.196.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1586,7 +1576,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -1622,7 +1612,6 @@ "dns_response_type": "Query Refused", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -1694,7 +1683,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1714,8 +1703,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100803623Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", + "ingested": "2021-06-09T10:11:31.564051600Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1729,7 +1718,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -1763,7 +1752,6 @@ "dns_response_type": "Server Failure", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -1839,7 +1827,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1859,8 +1847,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100804950Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", + "ingested": "2021-06-09T10:11:31.564052500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1874,7 +1862,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -1911,7 +1899,6 @@ "dns_response_type": "Non-Existent Domain", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -1987,7 +1974,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2007,8 +1994,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100806263Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", + "ingested": "2021-06-09T10:11:31.564053500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2022,7 +2009,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -2058,7 +2045,6 @@ "responder_bytes": "108", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -2134,7 +2120,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2154,8 +2140,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100807590Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", + "ingested": "2021-06-09T10:11:31.564054500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2169,7 +2155,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -2206,7 +2192,6 @@ "dns_response_type": "Non-Existent Domain", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -2282,7 +2267,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2302,8 +2287,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100808944Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", + "ingested": "2021-06-09T10:11:31.564055400Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2317,7 +2302,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -2355,7 +2340,6 @@ "responder_bytes": "199", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -2431,7 +2415,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2451,8 +2435,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100810382Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", + "ingested": "2021-06-09T10:11:31.564056500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2466,7 +2450,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -2502,7 +2486,6 @@ "responder_bytes": "166", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -2578,7 +2561,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2598,8 +2581,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100811703Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", + "ingested": "2021-06-09T10:11:31.564057500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2613,7 +2596,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -2649,7 +2632,6 @@ "responder_bytes": "166", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -2725,7 +2707,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2745,8 +2727,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100813028Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", + "ingested": "2021-06-09T10:11:31.564058400Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2760,7 +2742,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -2796,7 +2778,6 @@ "responder_bytes": "221", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -2871,7 +2852,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2891,8 +2872,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100814387Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", + "ingested": "2021-06-09T10:11:31.564059400Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2906,7 +2887,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -2941,7 +2922,6 @@ "responder_bytes": "131", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" @@ -3017,7 +2997,7 @@ }, "@timestamp": "2019-08-26T23:11:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -3037,8 +3017,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:33.100853454Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", + "ingested": "2021-06-09T10:11:31.564060400Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -3052,7 +3032,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -3090,7 +3070,6 @@ "responder_bytes": "722", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json index 51b93019b9d..1a1169e0945 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json @@ -19,7 +19,7 @@ }, "@timestamp": "2019-01-01T01:00:27.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -31,8 +31,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.550545963Z", - "original": "%FTD-7-999999: This message is not filtered.", + "ingested": "2021-06-09T10:11:32.562561400Z", + "original": "Jan 1 2019 01:00:27 beats asa[1234]: %FTD-7-999999: This message is not filtered.", "code": "999999", "kind": "event", "action": "firewall-rule", @@ -44,9 +44,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "999999" - } + "ftd": {} } }, { @@ -62,7 +60,7 @@ }, "@timestamp": "2019-01-01T01:00:30.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -74,8 +72,8 @@ }, "event": { "severity": 8, - "ingested": "2021-06-03T06:53:34.550594129Z", - "original": "%FTD-8-999999: This phony message is dropped due to log level.", + "ingested": "2021-06-09T10:11:32.562566600Z", + "original": "Jan 1 2019 01:00:30 beats asa[1234]: %FTD-8-999999: This phony message is dropped due to log level.", "code": "999999", "kind": "event", "action": "firewall-rule", @@ -87,9 +85,7 @@ ] }, "cisco": { - "ftd": { - "message_id": "999999" - } + "ftd": {} }, "tags": [ "preserve_original_event" diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json index 139af3f261b..ff5da08ed85 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json @@ -1,1231 +1,1265 @@ { "expected": [ { + "process": { + "name": "platformSettingEdit.cgi" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } + }, + "tags": [ + "preserve_original_event" + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "platformSettingEdit.cgi" - }, "@timestamp": "2019-08-14T13:56:30.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607388817Z", - "original": "admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598366800Z", + "original": "\u003c14\u003eAug 14 2019 13:56:30 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "platformSettingEdit.cgi" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "platformSettingEdit.cgi" - }, "@timestamp": "2019-08-14T13:57:19.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607395497Z", - "original": "admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=Banner, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598371300Z", + "original": "\u003c14\u003eAug 14 2019 13:57:19 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=Banner, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "ChangeReconciliation.cgi" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "ChangeReconciliation.cgi" - }, "@timestamp": "2019-08-14T13:57:26.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607397008Z", - "original": "admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/ChangeReconciliation.cgi, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598372500Z", + "original": "\u003c14\u003eAug 14 2019 13:57:26 ChangeReconciliation.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/ChangeReconciliation.cgi, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "platformSettingEdit.cgi" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "platformSettingEdit.cgi" - }, "@timestamp": "2019-08-14T13:57:34.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607398334Z", - "original": "admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=IntrusionPolicyPrefs, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598373500Z", + "original": "\u003c14\u003eAug 14 2019 13:57:34 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=IntrusionPolicyPrefs, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "lights_out_mgmt.cgi" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "lights_out_mgmt.cgi" - }, "@timestamp": "2019-08-14T13:57:43.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607399636Z", - "original": "admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /admin/lights_out_mgmt.cgi, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598374500Z", + "original": "\u003c14\u003eAug 14 2019 13:57:43 lights_out_mgmt.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /admin/lights_out_mgmt.cgi, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "mojo_server.pl" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T13:58:02.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607400900Z", - "original": "admin@10.0.255.31, Cloud Services, View url filtering settings\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598375500Z", + "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View url filtering settings\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "mojo_server.pl" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T13:58:02.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607402172Z", - "original": "admin@10.0.255.31, Cloud Services, View amp settings\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598376500Z", + "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View amp settings\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "mojo_server.pl" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T13:58:20.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607403423Z", - "original": "admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598377500Z", + "original": "\u003c14\u003eAug 14 2019 13:58:20 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "mojo_server.pl" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T13:58:41.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607404683Z", - "original": "admin@10.0.255.31, Devices \u003e Device Management, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598379100Z", + "original": "\u003c14\u003eAug 14 2019 13:58:41 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "sfdccsm" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T13:58:47.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607405938Z", - "original": "admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Interfaces, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598380Z", + "original": "\u003c14\u003eAug 14 2019 13:58:47 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Interfaces, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "mojo_server.pl" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T13:58:52.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607410581Z", - "original": "admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598381100Z", + "original": "\u003c14\u003eAug 14 2019 13:58:52 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "mojo_server.pl" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T13:58:54.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607412158Z", - "original": "admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598382200Z", + "original": "\u003c14\u003eAug 14 2019 13:58:54 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "sfdccsm" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T13:59:10.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607413541Z", - "original": "admin@10.0.255.31, Devices \u003e Platform Settings, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598383200Z", + "original": "\u003c14\u003eAug 14 2019 13:59:10 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "sfdccsm" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T13:59:15.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607414854Z", - "original": "admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598384200Z", + "original": "\u003c14\u003eAug 14 2019 13:59:15 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "sfdccsm" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:00:37.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607416230Z", - "original": "admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598385100Z", + "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "sfdccsm" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:00:37.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607417548Z", - "original": "admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598386100Z", + "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "sfdccsm" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:00:37.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607418969Z", - "original": "admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598387200Z", + "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "sfdccsm" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:01:12.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607420290Z", - "original": "admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598388200Z", + "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", + "code": "" + }, + "cisco": { + "ftd": {} + } + }, + { + "process": { + "name": "sfdccsm" }, - "cisco": { - "ftd": {} + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:01:12.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607421604Z", - "original": "admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598389200Z", + "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "sfdccsm" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:01:13.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607422923Z", - "original": "admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598390200Z", + "original": "\u003c14\u003eAug 14 2019 14:01:13 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "sfdccsm" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:01:20.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607424216Z", - "original": "csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598391100Z", + "original": "\u003c14\u003eAug 14 2019 14:01:20 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "ActionQueueScrape.pl" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "ActionQueueScrape.pl" - }, "@timestamp": "2019-08-14T14:01:31.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607425522Z", - "original": "csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598392100Z", + "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "ActionQueueScrape.pl" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "ActionQueueScrape.pl" - }, "@timestamp": "2019-08-14T14:01:31.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607426831Z", - "original": "admin@localhost, Task Queue, Successful task completion : Pre-deploy Global Configuration Generation\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598393100Z", + "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Global Configuration Generation\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "ActionQueueScrape.pl" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "ActionQueueScrape.pl" - }, "@timestamp": "2019-08-14T14:01:35.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607428249Z", - "original": "csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598394100Z", + "original": "\u003c14\u003eAug 14 2019 14:01:35 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "ActionQueueScrape.pl" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "ActionQueueScrape.pl" - }, "@timestamp": "2019-08-14T14:01:36.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607429568Z", - "original": "admin@localhost, Task Queue, Successful task completion : Pre-deploy Device Configuration for siem-ftd\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598395100Z", + "original": "\u003c14\u003eAug 14 2019 14:01:36 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Device Configuration for siem-ftd\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "mojo_server.pl" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T14:01:55.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607430874Z", - "original": "admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598396100Z", + "original": "\u003c14\u003eAug 14 2019 14:01:55 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "sfdccsm" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:01:56.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607432175Z", - "original": "admin@localhost, Task Queue, Policy Deployment to siem-ftd - SUCCESS\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598397100Z", + "original": "\u003c14\u003eAug 14 2019 14:01:56 sfdccsm: siem-management: admin@localhost, Task Queue, Policy Deployment to siem-ftd - SUCCESS\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "sfdccsm" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "sfdccsm" - }, "@timestamp": "2019-08-14T14:01:57.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607433482Z", - "original": "csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598398Z", + "original": "\u003c14\u003eAug 14 2019 14:01:57 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "mojo_server.pl" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T14:02:03.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607434790Z", - "original": "admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598399Z", + "original": "\u003c14\u003eAug 14 2019 14:02:03 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "index.cgi" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "index.cgi" - }, "@timestamp": "2019-08-14T14:02:11.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607436098Z", - "original": "admin@10.0.255.31, System \u003e Monitoring \u003e Audit, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598400900Z", + "original": "\u003c14\u003eAug 14 2019 14:02:11 index.cgi: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Audit, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "mojo_server.pl" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "mojo_server.pl" - }, "@timestamp": "2019-08-14T14:02:19.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607437435Z", - "original": "admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598401900Z", + "original": "\u003c14\u003eAug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "platformSettingEdit.cgi" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "platformSettingEdit.cgi" - }, "@timestamp": "2019-08-14T14:02:31.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607438754Z", - "original": "admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598402900Z", + "original": "\u003c14\u003eAug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "platformSettingEdit.cgi" + }, + "log": { + "level": "debug" + }, + "syslog": { + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "platformSettingEdit.cgi" - }, "@timestamp": "2019-08-14T14:02:38.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607440057Z", - "original": "admin@10.0.255.31, Devices \u003e Platform Settings \u003e Local System Configuration, Save Local System Configuration\u0000x0a\u0000x00" + "ingested": "2021-06-09T10:11:32.598403900Z", + "original": "\u003c14\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Local System Configuration, Save Local System Configuration\u0000x0a\u0000x00", + "code": "" }, "cisco": { "ftd": {} + } + }, + { + "process": { + "name": "platformSettingEdit.cgi" + }, + "log": { + "level": "debug" + }, + "syslog": { + "priority": 2, + "facility": { + "code": 14 + } }, "tags": [ "preserve_original_event" - ] - }, - { + ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "process": { - "name": "platformSettingEdit.cgi" - }, "@timestamp": "2019-08-14T14:02:38.000Z", "ecs": { - "version": "1.9.0" - }, - "log": { - "level": "debug", - "syslog": { - "priority": 2, - "facility": { - "code": 14 - } - } + "version": "1.10.0" }, "host": { "name": "siem-management" }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:34.607441384Z", - "original": "admin@10.0.255.31, Devices \u003e Platform Settings \u003e Audit Log Settings \u003e Modified: Send Audit Log to Syslog enabled \u003e Disabled" + "ingested": "2021-06-09T10:11:32.598404900Z", + "original": "\u003c14.2\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Audit Log Settings \u003e Modified: Send Audit Log to Syslog enabled \u003e Disabled", + "code": "" }, "cisco": { "ftd": { "security": {} } - }, - "tags": [ - "preserve_original_event" - ] + } } ] } \ No newline at end of file diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json index 1114e8e7264..b957b1e1746 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json @@ -42,7 +42,7 @@ }, "@timestamp": "2019-08-16T09:54:00.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -64,8 +64,8 @@ }, "event": { "severity": 0, - "ingested": "2021-06-03T06:53:35.381430714Z", - "original": "%FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "ingested": "2021-06-09T10:11:33.111979400Z", + "original": "2019-08-16T09:54:00Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", "action": "intrusion-detected", @@ -106,7 +106,6 @@ "client": "Firefox", "user": "No Authentication Required" }, - "message_id": "430001", "rule_name": [ "intrusion-policy", "default" @@ -157,7 +156,7 @@ }, "@timestamp": "2019-08-16T09:57:02.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -179,8 +178,8 @@ }, "event": { "severity": 0, - "ingested": "2021-06-03T06:53:35.381442854Z", - "original": "%FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "ingested": "2021-06-09T10:11:33.111984800Z", + "original": "2019-08-16T09:57:02Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", "action": "intrusion-detected", @@ -221,7 +220,6 @@ "client": "Firefox", "user": "No Authentication Required" }, - "message_id": "430001", "rule_name": [ "intrusion-policy", "default" @@ -270,7 +268,7 @@ }, "@timestamp": "2019-08-16T10:04:44.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -292,8 +290,8 @@ }, "event": { "severity": 0, - "ingested": "2021-06-03T06:53:35.381445736Z", - "original": "%FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "ingested": "2021-06-09T10:11:33.111986Z", + "original": "2019-08-16T10:04:44Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", "action": "intrusion-detected", @@ -332,7 +330,6 @@ "ingress_interface": "outside", "user": "No Authentication Required" }, - "message_id": "430001", "rule_name": [ "intrusion-policy", "default" @@ -381,7 +378,7 @@ }, "@timestamp": "2019-08-16T10:09:47.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -403,8 +400,8 @@ }, "event": { "severity": 0, - "ingested": "2021-06-03T06:53:35.381448230Z", - "original": "%FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "ingested": "2021-06-09T10:11:33.111987100Z", + "original": "2019-08-16T10:09:47Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", "action": "intrusion-detected", @@ -443,7 +440,6 @@ "ingress_interface": "outside", "user": "No Authentication Required" }, - "message_id": "430001", "rule_name": [ "intrusion-policy", "default" diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json index 775e3b923e0..b12ebf10ac3 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json @@ -32,7 +32,7 @@ }, "@timestamp": "2018-01-11T01:00:27.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -48,8 +48,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:35.595184293Z", - "original": "ApplicationProtocol: http, Client: webserver, DstIP: 10.8.12.47, SrcIP: 10.1.123.45, Message: Intrusion attempt", + "ingested": "2021-06-09T10:11:33.251756500Z", + "original": "Jan 11 2018 01:00:27 beats ftd[1234]: ApplicationProtocol: http, Client: webserver, DstIP: 10.8.12.47, SrcIP: 10.1.123.45, Message: Intrusion attempt", "code": "430001", "kind": "alert", "action": "intrusion-detected", @@ -68,8 +68,7 @@ "application_protocol": "http", "message": "Intrusion attempt", "dst_ip": "10.8.12.47" - }, - "message_id": "430001" + } } } }, @@ -93,7 +92,7 @@ }, "@timestamp": "2018-01-11T01:00:27.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -110,8 +109,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:35.595190391Z", - "original": "HTTPResponse: 404, Message: Some message here (1:36330:2).", + "ingested": "2021-06-09T10:11:33.251762400Z", + "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2).", "code": "430001", "kind": "alert", "action": "intrusion-detected", @@ -127,8 +126,7 @@ "security": { "http_response": "404", "message": "Some message here (1:36330:2)." - }, - "message_id": "430001" + } } } }, @@ -152,7 +150,7 @@ }, "@timestamp": "2018-01-11T01:00:27.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -169,8 +167,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-03T06:53:35.595191790Z", - "original": "HTTPResponse: 404, Message: Some message here (1:36330:2), Empty: ,FileCount:, IngressZone:", + "ingested": "2021-06-09T10:11:33.251763700Z", + "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2), Empty: ,FileCount:, IngressZone:", "code": "430002", "kind": "event", "action": "connection-started", @@ -187,8 +185,7 @@ "security": { "http_response": "404", "message": "Some message here (1:36330:2)" - }, - "message_id": "430002" + } } } }, @@ -225,7 +222,7 @@ }, "@timestamp": "2018-01-11T01:00:27.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -246,8 +243,8 @@ }, "event": { "severity": 3, - "ingested": "2021-06-03T06:53:35.595192969Z", - "original": "%ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311", + "ingested": "2021-06-09T10:11:33.251764700Z", + "original": "Jan 11 2018 01:00:27 beats ftd[1234]: %ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311", "code": "430005", "kind": "alert", "action": "malware-detected", @@ -270,8 +267,7 @@ "And two messages" ], "dst_ip": "192.168.3.33" - }, - "message_id": "430005" + } } } } diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json index 37af47b2c93..4921a702be5 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json @@ -2,18 +2,18 @@ "expected": [ { "log": { - "level": "notification", - "syslog": { - "facility": { - "code": 165 - } - } + "level": "notification" }, "destination": { "port": 53, "address": "203.0.113.42", "ip": "203.0.113.42" }, + "syslog": { + "facility": { + "code": 165 + } + }, "source": { "port": 27218, "address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", @@ -43,7 +43,7 @@ }, "@timestamp": "2019-10-04T15:27:55.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -55,8 +55,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.737836752Z", - "original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -\u003e OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "ingested": "2021-06-09T10:11:33.358167500Z", + "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -\u003e OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -67,12 +67,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "OUTSIDE", - "message_id": "106100", "rule_name": "AL-DMZ-LB-IN", "source_interface": "LB-DMZ" } @@ -105,7 +104,7 @@ }, "@timestamp": "2020-01-01T10:42:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -121,8 +120,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.737844012Z", - "original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", + "ingested": "2021-06-09T10:11:33.358172600Z", + "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", "action": "flow-expiration", @@ -136,8 +135,7 @@ }, "cisco": { "ftd": { - "mapped_source_host": "mydomain.example.net", - "message_id": "302021" + "mapped_source_host": "mydomain.example.net" } } }, @@ -187,7 +185,7 @@ }, "@timestamp": "2020-01-02T11:33:20.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -204,8 +202,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:35.737845599Z", - "original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", + "ingested": "2021-06-09T10:11:33.358173900Z", + "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", "code": "338204", "kind": "event", "action": "firewall-rule", @@ -216,7 +214,7 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { @@ -228,7 +226,6 @@ "rule_name": "dynamic", "source_interface": "eth0", "mapped_destination_port": 80, - "message_id": "338204", "threat_category": "malware" } } diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json index 39d36f92529..195183d903c 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json @@ -38,7 +38,7 @@ }, "@timestamp": "2013-04-15T09:36:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -48,8 +48,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:35.877521935Z", - "original": "%FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "ingested": "2021-06-09T10:11:33.451562700Z", + "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -60,12 +60,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106023", "rule_name": "acl_dmz", "source_interface": "dmz" } @@ -109,7 +108,7 @@ }, "@timestamp": "2013-04-15T09:36:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -119,8 +118,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:35.877526779Z", - "original": "%FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "ingested": "2021-06-09T10:11:33.451568200Z", + "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -131,12 +130,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106023", "rule_name": "acl_dmz", "source_interface": "dmz" } @@ -180,7 +178,7 @@ }, "@timestamp": "2014-04-15T13:34:34.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -190,8 +188,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877528249Z", - "original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451569800Z", + "original": "Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -202,12 +200,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "suffix": "session", "rule_name": "acl_in", "source_interface": "inside" @@ -253,7 +250,7 @@ }, "@timestamp": "2013-04-24T16:00:28.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -269,8 +266,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877529559Z", - "original": "%FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "ingested": "2021-06-09T10:11:33.451570900Z", + "original": "Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -281,12 +278,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "inside", "source_interface": "inside" } @@ -331,7 +327,7 @@ }, "@timestamp": "2013-04-24T16:00:27.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -347,8 +343,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877530827Z", - "original": "%FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "ingested": "2021-06-09T10:11:33.451571900Z", + "original": "Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -359,12 +355,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "inside", "source_interface": "inside" } @@ -408,7 +403,7 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -418,8 +413,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877532085Z", - "original": "%FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", + "ingested": "2021-06-09T10:11:33.451573Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -433,8 +428,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "outside", - "message_id": "305011" + "source_interface": "outside" } } }, @@ -480,7 +474,7 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -490,8 +484,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877533333Z", - "original": "%FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", + "ingested": "2021-06-09T10:11:33.451574100Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -510,8 +504,7 @@ "mapped_source_ip": "192.0.2.43", "connection_id": "89743274", "source_interface": "outside", - "mapped_destination_port": 12834, - "message_id": "302013" + "mapped_destination_port": 12834 } } }, @@ -553,7 +546,7 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -563,8 +556,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877534604Z", - "original": "%FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", + "ingested": "2021-06-09T10:11:33.451575100Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -578,8 +571,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "outside", - "message_id": "305011" + "source_interface": "outside" } } }, @@ -628,18 +620,19 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ "192.0.2.222", + "192.0.2.43", "10.123.1.35" ] }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877535878Z", - "original": "%FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", + "ingested": "2021-06-09T10:11:33.451576100Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -658,8 +651,7 @@ "mapped_source_ip": "192.0.2.43", "connection_id": "89743275", "source_interface": "outside", - "mapped_destination_port": 25882, - "message_id": "302015" + "mapped_destination_port": 25882 } } }, @@ -701,7 +693,7 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -711,8 +703,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877537160Z", - "original": "%FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", + "ingested": "2021-06-09T10:11:33.451577600Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -726,8 +718,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "outside", - "message_id": "305011" + "source_interface": "outside" } } }, @@ -774,18 +765,19 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ "192.0.2.1", - "10.123.3.42" + "10.123.3.42", + "10.123.3.130" ] }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877538415Z", - "original": "%FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", + "ingested": "2021-06-09T10:11:33.451578600Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -804,8 +796,7 @@ "mapped_source_ip": "192.0.2.1", "connection_id": "89743276", "source_interface": "outside", - "mapped_destination_port": 45392, - "message_id": "302013" + "mapped_destination_port": 45392 } } }, @@ -848,7 +839,7 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -859,8 +850,8 @@ "event": { "severity": 6, "duration": 5025000000000, - "ingested": "2021-06-03T06:53:35.877539841Z", - "original": "%FTD-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", + "ingested": "2021-06-09T10:11:33.451579800Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "code": "302016", "kind": "event", "start": "2013-04-29T11:36:05.000Z", @@ -877,7 +868,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "89743275", "source_interface": "outside" } @@ -922,7 +912,7 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -933,8 +923,8 @@ "event": { "severity": 6, "duration": 36000000000000, - "ingested": "2021-06-03T06:53:35.877541122Z", - "original": "%FTD-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", + "ingested": "2021-06-09T10:11:33.451580800Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "code": "302016", "kind": "event", "start": "2013-04-29T02:59:50.000Z", @@ -952,7 +942,6 @@ "ftd": { "source_username": "user1", "destination_interface": "inside", - "message_id": "302016", "connection_id": "666", "source_interface": "outside", "destination_username": "user2" @@ -986,7 +975,7 @@ }, "@timestamp": "2011-06-04T21:59:52.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -1002,8 +991,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877542379Z", - "original": "%FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", + "ingested": "2021-06-09T10:11:33.451581800Z", + "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", "action": "flow-expiration", @@ -1017,8 +1006,7 @@ }, "cisco": { "ftd": { - "mapped_source_ip": "192.168.132.46", - "message_id": "302021" + "mapped_source_ip": "192.168.132.46" } } }, @@ -1060,7 +1048,7 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1070,8 +1058,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877543654Z", - "original": "%FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", + "ingested": "2021-06-09T10:11:33.451584900Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -1085,8 +1073,7 @@ "cisco": { "ftd": { "destination_interface": "outside", - "source_interface": "inside", - "message_id": "305011" + "source_interface": "inside" } } }, @@ -1133,18 +1120,19 @@ }, "@timestamp": "2013-04-29T12:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ "192.0.0.17", - "192.168.3.42" + "192.168.3.42", + "10.0.0.130" ] }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877544906Z", - "original": "%FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", + "ingested": "2021-06-09T10:11:33.451586Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -1163,8 +1151,7 @@ "mapped_source_ip": "192.0.0.17", "connection_id": "89743277", "source_interface": "outside", - "mapped_destination_port": 10879, - "message_id": "302013" + "mapped_destination_port": 10879 } } }, @@ -1198,7 +1185,7 @@ }, "@timestamp": "2013-04-30T09:22:33.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1208,8 +1195,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:35.877546387Z", - "original": "%FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", + "ingested": "2021-06-09T10:11:33.451587Z", + "original": "Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", "code": "106007", "kind": "event", "action": "firewall-rule", @@ -1220,12 +1207,10 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { - "ftd": { - "message_id": "106007" - } + "ftd": {} } }, { @@ -1266,7 +1251,7 @@ }, "@timestamp": "2013-04-30T09:22:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1276,8 +1261,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877547657Z", - "original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451588100Z", + "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1288,12 +1273,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1337,7 +1321,7 @@ }, "@timestamp": "2013-04-30T09:22:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1347,8 +1331,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877548902Z", - "original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451589100Z", + "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1359,12 +1343,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1408,7 +1391,7 @@ }, "@timestamp": "2013-04-30T09:22:39.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1418,8 +1401,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877550157Z", - "original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451590100Z", + "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1430,12 +1413,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1479,7 +1461,7 @@ }, "@timestamp": "2013-04-30T09:22:39.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1489,8 +1471,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877551432Z", - "original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451591100Z", + "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1501,12 +1483,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1550,7 +1531,7 @@ }, "@timestamp": "2013-04-30T09:22:39.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1560,8 +1541,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877552681Z", - "original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451592100Z", + "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1572,12 +1553,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1621,7 +1601,7 @@ }, "@timestamp": "2013-04-30T09:22:40.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1631,8 +1611,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877553938Z", - "original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451593300Z", + "original": "Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1643,12 +1623,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1692,7 +1671,7 @@ }, "@timestamp": "2013-04-30T09:22:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1702,8 +1681,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877555361Z", - "original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451594300Z", + "original": "Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1714,12 +1693,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1763,7 +1741,7 @@ }, "@timestamp": "2013-04-30T09:22:47.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1773,8 +1751,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877556635Z", - "original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451595400Z", + "original": "Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1785,12 +1763,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1834,7 +1811,7 @@ }, "@timestamp": "2013-04-30T09:22:48.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1844,8 +1821,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877557901Z", - "original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451596400Z", + "original": "Apr 30 2013 09:22:48: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1856,12 +1833,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "dmz", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1905,7 +1881,7 @@ }, "@timestamp": "2013-04-30T09:22:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1915,8 +1891,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877559162Z", - "original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451597400Z", + "original": "Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1927,12 +1903,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -1972,7 +1947,7 @@ }, "@timestamp": "2013-04-30T09:23:02.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1982,8 +1957,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:35.877560412Z", - "original": "%FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", + "ingested": "2021-06-09T10:11:33.451598500Z", + "original": "Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", "code": "106006", "kind": "event", "action": "firewall-rule", @@ -1994,12 +1969,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { - "source_interface": "inside", - "message_id": "106006" + "source_interface": "inside" } } }, @@ -2033,7 +2007,7 @@ }, "@timestamp": "2013-04-30T09:23:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2043,8 +2017,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:35.877561688Z", - "original": "%FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", + "ingested": "2021-06-09T10:11:33.451599500Z", + "original": "Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", "code": "106007", "kind": "event", "action": "firewall-rule", @@ -2055,12 +2029,10 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { - "ftd": { - "message_id": "106007" - } + "ftd": {} } }, { @@ -2101,7 +2073,7 @@ }, "@timestamp": "2013-04-30T09:23:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2111,8 +2083,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877562948Z", - "original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451601100Z", + "original": "Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2123,12 +2095,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -2172,7 +2143,7 @@ }, "@timestamp": "2013-04-30T09:23:08.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2182,8 +2153,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877564198Z", - "original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451602100Z", + "original": "Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2194,12 +2165,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -2243,7 +2213,7 @@ }, "@timestamp": "2013-04-30T09:23:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2253,8 +2223,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877565441Z", - "original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451603100Z", + "original": "Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2265,12 +2235,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -2314,7 +2283,7 @@ }, "@timestamp": "2013-04-30T09:23:24.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2324,8 +2293,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877566689Z", - "original": "%FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451604100Z", + "original": "Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2336,12 +2305,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -2385,7 +2353,7 @@ }, "@timestamp": "2013-04-30T09:23:34.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2395,8 +2363,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877567946Z", - "original": "%FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451605100Z", + "original": "Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2407,12 +2375,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -2456,7 +2423,7 @@ }, "@timestamp": "2013-04-30T09:23:40.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2466,8 +2433,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:35.877569339Z", - "original": "%FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "ingested": "2021-06-09T10:11:33.451606100Z", + "original": "Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2478,12 +2445,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "acl_out", "source_interface": "outside" } @@ -2527,7 +2493,7 @@ }, "@timestamp": "2013-04-30T09:23:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2537,8 +2503,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:35.877570635Z", - "original": "%FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "ingested": "2021-06-09T10:11:33.451607800Z", + "original": "Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2549,12 +2515,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "acl_out", "source_interface": "outside" } @@ -2598,7 +2563,7 @@ }, "@timestamp": "2013-04-30T09:23:43.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2608,8 +2573,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877571897Z", - "original": "%FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451608900Z", + "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2620,12 +2585,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -2669,7 +2633,7 @@ }, "@timestamp": "2013-04-30T09:23:43.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2679,8 +2643,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877573147Z", - "original": "%FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451609900Z", + "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2691,12 +2655,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "rule_name": "acl_in", "source_interface": "inside" } @@ -2740,7 +2703,7 @@ }, "@timestamp": "2018-04-15T13:34:34.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2750,8 +2713,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877574387Z", - "original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-06-09T10:11:33.451611Z", + "original": "Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2762,12 +2725,11 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106100", "suffix": "session", "rule_name": "acl_in", "source_interface": "inside" @@ -2814,7 +2776,7 @@ }, "@timestamp": "2018-12-11T08:01:24.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2830,8 +2792,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877575628Z", - "original": "%FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", + "ingested": "2021-06-09T10:11:33.451612Z", + "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2850,8 +2812,7 @@ "mapped_source_ip": "192.168.77.12", "connection_id": "447235", "source_interface": "outside", - "mapped_destination_port": 80, - "message_id": "302015" + "mapped_destination_port": 80 } } }, @@ -2894,7 +2855,7 @@ }, "@timestamp": "2018-12-11T08:01:24.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2910,8 +2871,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:35.877576867Z", - "original": "%FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "ingested": "2021-06-09T10:11:33.451613Z", + "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2922,12 +2883,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106023", "rule_name": "dmz", "source_interface": "dmz" } @@ -2972,7 +2932,7 @@ }, "@timestamp": "2018-12-11T08:01:24.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -2988,8 +2948,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:35.877578125Z", - "original": "%FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "ingested": "2021-06-09T10:11:33.451614Z", + "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -3000,12 +2960,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106023", "rule_name": "dmz", "source_interface": "dmz" } @@ -3051,7 +3010,7 @@ }, "@timestamp": "2018-12-11T08:01:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3067,8 +3026,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877579366Z", - "original": "%FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "ingested": "2021-06-09T10:11:33.451615Z", + "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3087,8 +3046,7 @@ "mapped_source_ip": "192.0.2.222", "connection_id": "447236", "source_interface": "outside", - "mapped_destination_port": 5678, - "message_id": "302013" + "mapped_destination_port": 5678 } } }, @@ -3132,7 +3090,7 @@ }, "@timestamp": "2018-12-11T08:01:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3148,8 +3106,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877580615Z", - "original": "%FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "ingested": "2021-06-09T10:11:33.451616Z", + "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3168,8 +3126,7 @@ "mapped_source_ip": "192.0.2.222", "connection_id": "447236", "source_interface": "outside", - "mapped_destination_port": 5678, - "message_id": "302013" + "mapped_destination_port": 5678 } } }, @@ -3213,7 +3170,7 @@ }, "@timestamp": "2018-12-11T08:01:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3230,8 +3187,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-06-03T06:53:35.877581864Z", - "original": "%FTD-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:33.451617Z", + "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:01:31.000Z", @@ -3248,7 +3206,6 @@ "cisco": { "ftd": { "destination_interface": "dmz", - "message_id": "302014", "connection_id": "447236", "source_interface": "outside" } @@ -3294,7 +3251,7 @@ }, "@timestamp": "2018-12-11T08:01:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3311,8 +3268,9 @@ "event": { "severity": 6, "duration": 68000000000, - "ingested": "2021-06-03T06:53:35.877583999Z", - "original": "%FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:33.451618Z", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:00:30.000Z", @@ -3329,7 +3287,6 @@ "cisco": { "ftd": { "destination_interface": "dmz", - "message_id": "302014", "connection_id": "447234", "source_interface": "outside" } @@ -3375,7 +3332,7 @@ }, "@timestamp": "2018-12-11T08:01:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3392,8 +3349,9 @@ "event": { "severity": 6, "duration": 68000000000, - "ingested": "2021-06-03T06:53:35.877585418Z", - "original": "%FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:33.451619Z", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:00:30.000Z", @@ -3410,7 +3368,6 @@ "cisco": { "ftd": { "destination_interface": "dmz", - "message_id": "302014", "connection_id": "447234", "source_interface": "outside" } @@ -3434,7 +3391,8 @@ "preserve_original_event" ], "network": { - "transport": "(no" + "iana_number": "6", + "transport": "tcp" }, "observer": { "hostname": "127.0.0.1", @@ -3449,7 +3407,7 @@ }, "@timestamp": "2018-12-11T08:01:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3465,8 +3423,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877586747Z", - "original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "ingested": "2021-06-09T10:11:33.451620Z", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -3474,14 +3432,14 @@ "network" ], "type": [ - "info" + "info", + "denied" ], - "outcome": "tcp" + "outcome": "failure" }, "cisco": { "ftd": { - "source_interface": "outside", - "message_id": "106015" + "source_interface": "outside" } } }, @@ -3503,7 +3461,8 @@ "preserve_original_event" ], "network": { - "transport": "(no" + "iana_number": "6", + "transport": "tcp" }, "observer": { "hostname": "127.0.0.1", @@ -3518,7 +3477,7 @@ }, "@timestamp": "2018-12-11T08:01:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3534,8 +3493,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877588079Z", - "original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "ingested": "2021-06-09T10:11:33.451621500Z", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -3543,14 +3502,14 @@ "network" ], "type": [ - "info" + "info", + "denied" ], - "outcome": "tcp" + "outcome": "failure" }, "cisco": { "ftd": { - "source_interface": "outside", - "message_id": "106015" + "source_interface": "outside" } } }, @@ -3593,7 +3552,7 @@ }, "@timestamp": "2018-12-11T08:01:39.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3609,8 +3568,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:35.877589386Z", - "original": "%FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "ingested": "2021-06-09T10:11:33.451622600Z", + "original": "Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -3621,12 +3580,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "outside", - "message_id": "106023", "rule_name": "dmz", "source_interface": "dmz" } @@ -3672,7 +3630,7 @@ }, "@timestamp": "2018-12-11T08:01:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3688,8 +3646,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877590835Z", - "original": "%FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "ingested": "2021-06-09T10:11:33.451623600Z", + "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3708,8 +3666,7 @@ "mapped_source_ip": "192.0.2.222", "connection_id": "447237", "source_interface": "outside", - "mapped_destination_port": 65000, - "message_id": "302013" + "mapped_destination_port": 65000 } } }, @@ -3753,7 +3710,7 @@ }, "@timestamp": "2018-12-11T08:01:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3769,8 +3726,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-03T06:53:35.877592141Z", - "original": "%FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "ingested": "2021-06-09T10:11:33.451624600Z", + "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3789,8 +3746,7 @@ "mapped_source_ip": "192.0.2.222", "connection_id": "447237", "source_interface": "outside", - "mapped_destination_port": 65000, - "message_id": "302013" + "mapped_destination_port": 65000 } } }, @@ -3834,7 +3790,7 @@ }, "@timestamp": "2018-12-11T08:01:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3851,8 +3807,9 @@ "event": { "severity": 6, "duration": 86399000000000, - "ingested": "2021-06-03T06:53:35.877593454Z", - "original": "%FTD-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", + "reason": "TCP FINs", + "ingested": "2021-06-09T10:11:33.451625600Z", + "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-10T08:01:54.000Z", @@ -3869,7 +3826,6 @@ "cisco": { "ftd": { "destination_interface": "dmz", - "message_id": "302014", "connection_id": "447237", "source_interface": "outside" } @@ -3914,7 +3870,7 @@ }, "@timestamp": "2012-08-15T23:30:09.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3925,8 +3881,8 @@ "event": { "severity": 6, "duration": 122000000000, - "ingested": "2021-06-03T06:53:35.877594770Z", - "original": "%FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", + "ingested": "2021-06-09T10:11:33.451626600Z", + "original": "Aug 15 2012 23:30:09: %FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "code": "302016", "kind": "event", "start": "2012-08-15T23:28:07.000Z", @@ -3943,7 +3899,6 @@ "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "302016", "connection_id": "40", "source_interface": "outside" } @@ -3977,7 +3932,7 @@ }, "@timestamp": "2014-09-12T06:50:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -3993,8 +3948,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:35.877596078Z", - "original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:33.451627600Z", + "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4005,12 +3960,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4042,7 +3996,7 @@ }, "@timestamp": "2014-09-12T06:51:01.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4058,8 +4012,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:35.877597384Z", - "original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:33.451628700Z", + "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4070,12 +4024,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4107,7 +4060,7 @@ }, "@timestamp": "2014-09-12T06:51:05.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4123,8 +4076,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:35.877598697Z", - "original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:33.451629700Z", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4135,12 +4088,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4172,7 +4124,7 @@ }, "@timestamp": "2014-09-12T06:51:05.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4188,8 +4140,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:35.877600005Z", - "original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:33.451630700Z", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4200,12 +4152,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4237,7 +4188,7 @@ }, "@timestamp": "2014-09-12T06:51:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4253,8 +4204,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:35.877601312Z", - "original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:33.451631700Z", + "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4265,12 +4216,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4302,7 +4252,7 @@ }, "@timestamp": "2014-09-12T06:51:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4318,8 +4268,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:35.877602633Z", - "original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:33.451632800Z", + "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4330,12 +4280,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4367,7 +4316,7 @@ }, "@timestamp": "2014-09-12T06:52:48.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4383,8 +4332,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:35.877648058Z", - "original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:33.451633700Z", + "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4395,12 +4344,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4432,7 +4380,7 @@ }, "@timestamp": "2014-09-12T06:53:00.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4448,8 +4396,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-03T06:53:35.877649862Z", - "original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "ingested": "2021-06-09T10:11:33.451634800Z", + "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4460,12 +4408,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { - "source_interface": "Mobile_Traffic", - "message_id": "106016" + "source_interface": "Mobile_Traffic" } } }, @@ -4508,7 +4455,7 @@ }, "@timestamp": "2014-09-12T06:53:01.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4524,8 +4471,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:35.877651150Z", - "original": "%FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "ingested": "2021-06-09T10:11:33.451635800Z", + "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -4536,12 +4483,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "destination_interface": "inside", - "message_id": "106023", "rule_name": "PERMIT_IN", "source_interface": "outside" } @@ -4575,7 +4521,7 @@ }, "@timestamp": "2014-09-12T06:53:02.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4590,8 +4536,8 @@ }, "event": { "severity": 3, - "ingested": "2021-06-03T06:53:35.877652445Z", - "original": "%FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", + "ingested": "2021-06-09T10:11:33.451636800Z", + "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "code": "313001", "kind": "event", "action": "firewall-rule", @@ -4602,14 +4548,13 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "icmp_type": 3, - "message_id": "313001", - "icmp_code": 3, - "source_interface": "Outside" + "source_interface": "Outside", + "icmp_code": 3 } } }, @@ -4644,7 +4589,7 @@ }, "@timestamp": "2015-01-14T13:16:13.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4654,8 +4599,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:35.877653707Z", - "original": "%FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", + "ingested": "2021-06-09T10:11:33.451637800Z", + "original": "Jan 14 2015 13:16:13: %FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "code": "313004", "kind": "event", "action": "firewall-rule", @@ -4666,13 +4611,12 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { "icmp_type": 0, - "source_interface": "inside", - "message_id": "313004" + "source_interface": "inside" } } }, @@ -4722,7 +4666,7 @@ }, "@timestamp": "2015-01-14T13:16:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "hosts": [ @@ -4730,13 +4674,14 @@ ], "ip": [ "10.1.1.45", + "192.88.99.1", "192.88.99.129" ] }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:35.877654977Z", - "original": "%FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", + "ingested": "2021-06-09T10:11:33.451638800Z", + "original": "Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", "code": "338002", "kind": "event", "action": "firewall-rule", @@ -4747,7 +4692,7 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { "ftd": { @@ -4757,8 +4702,7 @@ "mapped_source_ip": "192.88.99.1", "rule_name": "dynamic", "source_interface": "inside", - "mapped_destination_port": 80, - "message_id": "338002" + "mapped_destination_port": 80 } } }, @@ -4806,18 +4750,20 @@ }, "@timestamp": "2015-01-14T13:16:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ "10.1.1.1", - "192.0.2.223" + "10.2.1.1", + "192.0.2.223", + "192.0.2.225" ] }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:35.877656238Z", - "original": "%FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.225/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "ingested": "2021-06-09T10:11:33.451640100Z", + "original": "Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.225/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338004", "kind": "event", "action": "firewall-rule", @@ -4839,7 +4785,6 @@ "rule_name": "dynamic", "source_interface": "inside", "mapped_destination_port": 80, - "message_id": "338004", "threat_category": "Malware" } } @@ -4888,18 +4833,19 @@ }, "@timestamp": "2015-01-14T13:16:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ "10.1.1.1", + "10.2.1.1", "192.0.2.223" ] }, "event": { "severity": 4, - "ingested": "2021-06-03T06:53:35.877657511Z", - "original": "%FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/8080), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "ingested": "2021-06-09T10:11:33.451641100Z", + "original": "Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/8080), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338008", "kind": "event", "action": "firewall-rule", @@ -4910,7 +4856,7 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { @@ -4922,7 +4868,6 @@ "rule_name": "dynamic", "source_interface": "inside", "mapped_destination_port": 8080, - "message_id": "338008", "threat_category": "Malware" } } @@ -4940,6 +4885,7 @@ "ip": "10.30.30.30" }, "url": { + "path": "/app", "original": "/app" }, "tags": [ @@ -4952,7 +4898,7 @@ }, "@timestamp": "2009-11-16T14:12:35.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4962,8 +4908,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877658800Z", - "original": "%FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", + "ingested": "2021-06-09T10:11:33.451642100Z", + "original": "Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -4974,12 +4920,10 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { - "ftd": { - "message_id": "304001" - } + "ftd": {} } }, { @@ -4995,7 +4939,10 @@ "ip": "10.5.111.32" }, "url": { - "original": "http://example.com" + "path": "", + "original": "http://example.com", + "scheme": "http", + "domain": "example.com" }, "tags": [ "preserve_original_event" @@ -5007,7 +4954,7 @@ }, "@timestamp": "2009-11-16T14:12:36.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5017,8 +4964,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877661973Z", - "original": "%FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", + "ingested": "2021-06-09T10:11:33.451643100Z", + "original": "Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -5029,12 +4976,10 @@ "info", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "cisco": { - "ftd": { - "message_id": "304001" - } + "ftd": {} } }, { @@ -5050,7 +4995,11 @@ "ip": "10.69.6.39" }, "url": { - "original": "http://www.example.net/images/favicon.ico" + "path": "/images/favicon.ico", + "extension": "ico", + "original": "http://www.example.net/images/favicon.ico", + "scheme": "http", + "domain": "www.example.net" }, "tags": [ "preserve_original_event" @@ -5067,7 +5016,7 @@ }, "@timestamp": "2009-11-16T14:12:37.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5077,8 +5026,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-03T06:53:35.877663369Z", - "original": "%FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", + "ingested": "2021-06-09T10:11:33.451644100Z", + "original": "Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", "code": "304002", "kind": "event", "action": "firewall-rule", @@ -5089,12 +5038,11 @@ "info", "denied" ], - "outcome": "deny" + "outcome": "failure" }, "cisco": { "ftd": { - "source_interface": "inside", - "message_id": "304002" + "source_interface": "inside" } } } diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json index 2faeb212f0e..23977007268 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json @@ -43,7 +43,7 @@ }, "@timestamp": "2019-08-15T16:03:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -62,8 +62,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:38.800407479Z", - "original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", + "ingested": "2021-06-09T10:11:35.406287500Z", + "original": "2019-08-15T16:03:31Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", "action": "connection-started", @@ -75,7 +75,7 @@ "start", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -107,7 +107,6 @@ "responder_bytes": "0", "user": "No Authentication Required" }, - "message_id": "430002", "rule_name": [ "default", "Rule-1" @@ -159,7 +158,7 @@ }, "@timestamp": "2019-08-15T16:05:33.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -179,8 +178,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:38.800421190Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", + "ingested": "2021-06-09T10:11:35.406294600Z", + "original": "2019-08-15T16:05:33Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", "code": "430003", "kind": "event", "start": "2019-08-15T16:05:33.000Z", @@ -194,7 +193,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -227,7 +226,6 @@ "responder_bytes": "98", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Rule-1" @@ -303,7 +301,7 @@ }, "@timestamp": "2019-08-15T16:05:37.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -322,8 +320,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:38.800422428Z", - "original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", + "ingested": "2021-06-09T10:11:35.406295900Z", + "original": "2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", "code": "430002", "kind": "event", "action": "connection-started", @@ -335,7 +333,7 @@ "start", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -369,7 +367,6 @@ "responder_bytes": "0", "user": "No Authentication Required" }, - "message_id": "430002", "rule_name": [ "default", "Rule-1" @@ -445,7 +442,7 @@ }, "@timestamp": "2019-08-15T16:07:00.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -465,8 +462,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:38.800423513Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", + "ingested": "2021-06-09T10:11:35.406297Z", + "original": "2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", "code": "430003", "kind": "event", "start": "2019-08-15T16:07:00.000Z", @@ -480,7 +477,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -517,7 +514,6 @@ "dns_response_type": "Non-Existent Domain", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Rule-1" @@ -587,7 +583,7 @@ }, "@timestamp": "2019-08-15T16:07:18.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -606,8 +602,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:38.800424561Z", - "original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", + "ingested": "2021-06-09T10:11:35.406298500Z", + "original": "2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", "action": "connection-started", @@ -619,7 +615,7 @@ "start", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -649,7 +645,6 @@ "responder_bytes": "74", "user": "No Authentication Required" }, - "message_id": "430002", "rule_name": [ "default", "Rule-1" @@ -695,7 +690,10 @@ "ip": "10.0.1.20" }, "url": { + "path": "/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "extension": "deb", "original": "http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "scheme": "http", "domain": "eu-central-1.ec2.archive.ubuntu.com" }, "tags": [ @@ -728,7 +726,7 @@ }, "@timestamp": "2019-08-15T16:07:19.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -753,8 +751,8 @@ "event": { "severity": 1, "duration": 1000000000, - "ingested": "2021-06-03T06:53:38.800425607Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "ingested": "2021-06-09T10:11:35.406299600Z", + "original": "2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", "code": "430003", "kind": "event", "start": "2019-08-15T16:07:18.000Z", @@ -768,7 +766,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -807,7 +805,6 @@ "responder_bytes": "41319018", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Rule-1" @@ -880,7 +877,7 @@ }, "@timestamp": "2019-08-16T09:33:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -899,8 +896,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:38.800426617Z", - "original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", + "ingested": "2021-06-09T10:11:35.406300600Z", + "original": "2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", "action": "connection-started", @@ -912,7 +909,7 @@ "start", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -942,7 +939,6 @@ "responder_bytes": "74", "user": "No Authentication Required" }, - "message_id": "430002", "rule_name": [ "default", "Rule-1" @@ -988,7 +984,10 @@ "ip": "10.0.1.20" }, "url": { + "path": "/download/eicar_com.zip", + "extension": "zip", "original": "http://www.eicar.org/download/eicar_com.zip", + "scheme": "http", "domain": "www.eicar.org" }, "tags": [ @@ -1018,7 +1017,7 @@ }, "@timestamp": "2019-08-16T09:33:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1043,8 +1042,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-06-03T06:53:38.800427616Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", + "ingested": "2021-06-09T10:11:35.406301800Z", + "original": "2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", "code": "430003", "kind": "event", "start": "2019-08-16T09:33:15.000Z", @@ -1058,7 +1057,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -1096,7 +1095,6 @@ "responder_bytes": "690", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Rule-1" @@ -1149,7 +1147,7 @@ }, "@timestamp": "2019-08-16T09:35:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1168,8 +1166,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:38.800428629Z", - "original": "%FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", + "ingested": "2021-06-09T10:11:35.406302700Z", + "original": "2019-08-16T09:35:15Z firepower %FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", "action": "connection-started", @@ -1179,7 +1177,7 @@ "type": [ "connection", "start", - "denied" + "failure" ], "outcome": "block" }, @@ -1211,7 +1209,6 @@ "responder_bytes": "0", "user": "No Authentication Required" }, - "message_id": "430002", "rule_name": [ "default", "Block-inbound-ICMP" @@ -1239,8 +1236,15 @@ "ip": "10.0.1.20" }, "url": { + "path": "/eicar_com.zip", + "extension": "zip", "original": "http://10.0.100.30:8000/eicar_com.zip", - "domain": "10.0.100.30:8000" + "scheme": "http", + "port": 8000, + "domain": [ + "10.0.100.30", + "10.0.100.30:8000" + ] }, "tags": [ "preserve_original_event" @@ -1269,7 +1273,7 @@ }, "@timestamp": "2019-08-14T15:09:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1294,8 +1298,8 @@ "event": { "severity": 1, "duration": 1000000000, - "ingested": "2021-06-03T06:53:38.800429734Z", - "original": "%FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip", + "ingested": "2021-06-09T10:11:35.406303700Z", + "original": "Aug 14 2019 15:09:41 siem-ftd %FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip", "code": "430003", "kind": "event", "start": "2019-08-14T15:09:40.000Z", @@ -1307,7 +1311,7 @@ "type": [ "connection", "end", - "denied" + "failure" ], "outcome": "block" }, @@ -1349,7 +1353,6 @@ "responder_bytes": "1927", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "default", "Intrusion-Rule" diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json index c7bcdbf4e2a..c3818969063 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json @@ -15,7 +15,12 @@ "ip": "10.0.1.20" }, "url": { - "original": "http://10.0.100.30:8000/exploit.exe" + "path": "/exploit.exe", + "extension": "exe", + "original": "http://10.0.100.30:8000/exploit.exe", + "scheme": "http", + "port": 8000, + "domain": "10.0.100.30" }, "tags": [ "preserve_original_event" @@ -37,7 +42,7 @@ "name": "exploit.exe" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -56,8 +61,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:39.427128291Z", - "original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:54:24Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", + "ingested": "2021-06-09T10:11:35.839807700Z", + "original": "Aug 14 2019 14:54:25 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:54:24Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", "code": "430004", "kind": "alert", "start": "2019-08-14T14:54:24Z", @@ -93,8 +98,7 @@ "dst_port": "8000", "client": "cURL", "user": "No Authentication Required" - }, - "message_id": "430004" + } } } }, @@ -113,7 +117,12 @@ "ip": "10.0.1.20" }, "url": { - "original": "http://10.0.100.30:8000/exploit.exe" + "path": "/exploit.exe", + "extension": "exe", + "original": "http://10.0.100.30:8000/exploit.exe", + "scheme": "http", + "port": 8000, + "domain": "10.0.100.30" }, "tags": [ "preserve_original_event" @@ -135,7 +144,7 @@ "name": "exploit.exe" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -154,8 +163,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:39.427133268Z", - "original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41526, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:55:01Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", + "ingested": "2021-06-09T10:11:35.839813100Z", + "original": "Aug 14 2019 14:55:02 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41526, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:55:01Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", "code": "430004", "kind": "alert", "start": "2019-08-14T14:55:01Z", @@ -191,8 +200,7 @@ "dst_port": "8000", "client": "cURL", "user": "No Authentication Required" - }, - "message_id": "430004" + } } } }, @@ -211,7 +219,12 @@ "ip": "10.0.1.20" }, "url": { - "original": "http://10.0.100.30:8000/eicar.com" + "path": "/eicar.com", + "extension": "com", + "original": "http://10.0.100.30:8000/eicar.com", + "scheme": "http", + "port": 8000, + "domain": "10.0.100.30" }, "tags": [ "preserve_original_event" @@ -233,7 +246,7 @@ "name": "eicar.com" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -252,8 +265,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:39.427134722Z", - "original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41530, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:00:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com", + "ingested": "2021-06-09T10:11:35.839814400Z", + "original": "Aug 14 2019 15:00:29 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41530, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:00:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com", "code": "430004", "kind": "alert", "start": "2019-08-14T15:00:27Z", @@ -289,8 +302,7 @@ "dst_port": "8000", "client": "cURL", "user": "No Authentication Required" - }, - "message_id": "430004" + } } } }, @@ -309,7 +321,12 @@ "ip": "10.0.1.20" }, "url": { - "original": "http://10.0.100.30:8000/eicar.com.txt" + "path": "/eicar.com.txt", + "extension": "txt", + "original": "http://10.0.100.30:8000/eicar.com.txt", + "scheme": "http", + "port": 8000, + "domain": "10.0.100.30" }, "tags": [ "preserve_original_event" @@ -331,7 +348,7 @@ "name": "eicar.com.txt" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -350,8 +367,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:39.427135965Z", - "original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41534, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com.txt, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:01:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com.txt", + "ingested": "2021-06-09T10:11:35.839815400Z", + "original": "Aug 14 2019 15:01:41 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41534, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com.txt, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:01:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com.txt", "code": "430004", "kind": "alert", "start": "2019-08-14T15:01:40Z", @@ -387,8 +404,7 @@ "dst_port": "8000", "client": "cURL", "user": "No Authentication Required" - }, - "message_id": "430004" + } } } }, @@ -407,7 +423,12 @@ "ip": "10.0.1.20" }, "url": { - "original": "http://10.0.100.30:8000/eicar_com.zip" + "path": "/eicar_com.zip", + "extension": "zip", + "original": "http://10.0.100.30:8000/eicar_com.zip", + "scheme": "http", + "port": 8000, + "domain": "10.0.100.30" }, "tags": [ "preserve_original_event" @@ -433,7 +454,7 @@ } }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -455,8 +476,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:39.427137162Z", - "original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", + "ingested": "2021-06-09T10:11:35.839816500Z", + "original": "Aug 14 2019 15:03:28 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430004", "kind": "alert", "start": "2019-08-14T15:03:27Z", @@ -474,6 +495,7 @@ }, "cisco": { "ftd": { + "rule_name": "malware-and-file-policy", "security": { "file_policy": "malware-and-file-policy", "file_name": "eicar_com.zip", @@ -495,8 +517,6 @@ "client": "cURL", "user": "No Authentication Required" }, - "message_id": "430004", - "rule_name": "malware-and-file-policy", "threat_category": "Unknown" } } @@ -516,7 +536,12 @@ "ip": "10.0.1.20" }, "url": { - "original": "http://10.0.100.30:8000/eicar_com.zip" + "path": "/eicar_com.zip", + "extension": "zip", + "original": "http://10.0.100.30:8000/eicar_com.zip", + "scheme": "http", + "port": 8000, + "domain": "10.0.100.30" }, "tags": [ "preserve_original_event" @@ -542,7 +567,7 @@ } }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -564,8 +589,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:39.427138337Z", - "original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", + "ingested": "2021-06-09T10:11:35.839817600Z", + "original": "Aug 14 2019 15:03:33 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430004", "kind": "alert", "start": "2019-08-14T15:03:31Z", @@ -583,6 +608,7 @@ }, "cisco": { "ftd": { + "rule_name": "malware-and-file-policy", "security": { "file_policy": "malware-and-file-policy", "file_name": "eicar_com.zip", @@ -604,8 +630,6 @@ "client": "cURL", "user": "No Authentication Required" }, - "message_id": "430004", - "rule_name": "malware-and-file-policy", "threat_category": "Unknown" } } @@ -625,7 +649,12 @@ "ip": "10.0.1.20" }, "url": { - "original": "http://10.0.100.30:8000/eicar_com.zip" + "path": "/eicar_com.zip", + "extension": "zip", + "original": "http://10.0.100.30:8000/eicar_com.zip", + "scheme": "http", + "port": 8000, + "domain": "10.0.100.30" }, "tags": [ "preserve_original_event" @@ -651,7 +680,7 @@ } }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -673,8 +702,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:39.427139511Z", - "original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", + "ingested": "2021-06-09T10:11:35.839818600Z", + "original": "Aug 14 2019 15:09:43 siem-ftd %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430005", "kind": "alert", "start": "2019-08-14T15:09:40Z", @@ -717,7 +746,6 @@ "client": "cURL", "user": "No Authentication Required" }, - "message_id": "430005", "rule_name": "malware-and-file-policy", "threat_category": "Win.Ransomware.Eicar::95.sbx.tg" } @@ -756,7 +784,11 @@ "ip": "10.0.1.20" }, "url": { - "original": "http://www.eicar.org/download/eicar_com.zip" + "path": "/download/eicar_com.zip", + "extension": "zip", + "original": "http://www.eicar.org/download/eicar_com.zip", + "scheme": "http", + "domain": "www.eicar.org" }, "tags": [ "preserve_original_event" @@ -782,7 +814,7 @@ } }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -804,8 +836,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:39.427140688Z", - "original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", + "ingested": "2021-06-09T10:11:35.839819600Z", + "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", "code": "430005", "kind": "alert", "start": "2019-08-16T09:39:02Z", @@ -823,6 +855,7 @@ }, "cisco": { "ftd": { + "rule_name": "malware-and-file-policy", "security": { "file_policy": "malware-and-file-policy", "sha_disposition": "Unavailable", @@ -847,8 +880,6 @@ "client": "cURL", "user": "No Authentication Required" }, - "message_id": "430005", - "rule_name": "malware-and-file-policy", "threat_category": "Win.Ransomware.Eicar::95.sbx.tg" } } @@ -868,7 +899,10 @@ "ip": "10.0.1.20" }, "url": { - "original": "http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d" + "path": "/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "original": "http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "scheme": "http", + "domain": "10.0.100.30" }, "tags": [ "preserve_original_event" @@ -894,7 +928,7 @@ } }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -916,8 +950,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:39.427141884Z", - "original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "ingested": "2021-06-09T10:11:35.839820600Z", + "original": "2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "code": "430005", "kind": "alert", "start": "2019-08-16T09:40:45Z", @@ -935,6 +969,7 @@ }, "cisco": { "ftd": { + "rule_name": "malware-and-file-policy", "security": { "file_policy": "malware-and-file-policy", "sha_disposition": "Unavailable", @@ -959,8 +994,6 @@ "client": "cURL", "user": "No Authentication Required" }, - "message_id": "430005", - "rule_name": "malware-and-file-policy", "threat_category": "Unknown" } } @@ -998,7 +1031,10 @@ "ip": "10.0.1.20" }, "url": { - "original": "http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d" + "path": "/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "original": "http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "scheme": "http", + "domain": "18.197.225.123" }, "tags": [ "preserve_original_event" @@ -1024,7 +1060,7 @@ } }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1046,8 +1082,8 @@ }, "event": { "severity": 1, - "ingested": "2021-06-03T06:53:39.427143048Z", - "original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 18.197.225.123, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "ingested": "2021-06-09T10:11:35.839821600Z", + "original": "2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 18.197.225.123, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "code": "430005", "kind": "alert", "start": "2019-08-16T09:42:06Z", @@ -1090,7 +1126,6 @@ "client": "cURL", "user": "No Authentication Required" }, - "message_id": "430005", "rule_name": "malware-and-file-policy", "threat_category": "Pdf.Exploit.Pdfka::100.sbx.tg" } diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json index d7bd470045b..a052fd4d7ab 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json @@ -49,8 +49,14 @@ "ip": "3.3.3.3" }, "url": { + "path": "/favicon.ico", + "extension": "ico", "original": "http://bad-malwaresite-grr.info/favicon.ico", - "domain": "eyedropper-color-pick.info" + "scheme": "http", + "domain": [ + "bad-malwaresite-grr.info", + "eyedropper-color-pick.info" + ] }, "tags": [ "preserve_original_event" @@ -79,7 +85,7 @@ }, "@timestamp": "2020-03-01T01:02:36.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -104,8 +110,8 @@ "event": { "severity": 0, "duration": 20000000000, - "ingested": "2021-06-03T06:53:39.990392255Z", - "original": "%NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", + "ingested": "2021-06-09T10:11:36.196097700Z", + "original": "2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", "code": "430003", "kind": "event", "start": "2020-03-01T01:02:16.000Z", @@ -119,7 +125,7 @@ "end", "allowed" ], - "outcome": "allow" + "outcome": "success" }, "user": { "name": "No Authentication Required", @@ -160,7 +166,6 @@ "responder_bytes": "246", "user": "No Authentication Required" }, - "message_id": "430003", "rule_name": [ "COOL-POLICY-3D", "Inside DMZ-Rule-Inline" diff --git a/packages/cisco/data_stream/ftd/agent/stream/stream.yml.hbs b/packages/cisco/data_stream/ftd/agent/stream/stream.yml.hbs index 39855b826e7..118adc06c53 100644 --- a/packages/cisco/data_stream/ftd/agent/stream/stream.yml.hbs +++ b/packages/cisco/data_stream/ftd/agent/stream/stream.yml.hbs @@ -4,11 +4,17 @@ paths: {{/each}} exclude_files: [".gz$"] tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} {{#if preserve_original_event}} - - preserve_original_event + - preserve_original_event {{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains tags "forwarded"}} +publisher_pipeline.disable_host: true +{{/contains}} processors: - - add_locale: ~ +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco/data_stream/ftd/agent/stream/udp.yml.hbs b/packages/cisco/data_stream/ftd/agent/stream/udp.yml.hbs index f094f0a771b..c88f570899c 100644 --- a/packages/cisco/data_stream/ftd/agent/stream/udp.yml.hbs +++ b/packages/cisco/data_stream/ftd/agent/stream/udp.yml.hbs @@ -1,10 +1,16 @@ host: "{{udp_host}}:{{udp_port}}" tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} {{#if preserve_original_event}} - - preserve_original_event + - preserve_original_event {{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains tags "forwarded"}} +publisher_pipeline.disable_host: true +{{/contains}} processors: - - add_locale: ~ +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml index 6aa63a625ba..9f2c2eac3d7 100644 --- a/packages/cisco/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml @@ -1,25 +1,28 @@ --- -description: "Pipeline for Cisco FTD logs" +description: "Pipeline for Cisco ASA logs" processors: - set: field: event.ingested value: '{{_ingest.timestamp}}' - + - rename: + field: message + target_field: event.original + ignore_missing: true - set: field: ecs.version - value: '1.9.0' + value: '1.10.0' # # Parse the syslog header # # This populates the host.hostname, process.name, timestamp and other fields - # from the header and stores the message contents in log.original. + # from the header and stores the message contents in _temp_.full_message. - grok: - field: message + field: event.original patterns: - - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:event.original}" + - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" pattern_definitions: SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" - SYSLOGFACILITY: "<%{NONNEGINT:log.syslog.facility.code:int}(?:.%{NONNEGINT:log.syslog.priority:int})?>" + SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility.code:int}(?:.%{NONNEGINT:syslog.priority:int})?>" # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" @@ -34,7 +37,7 @@ processors: # # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. - grok: - field: event.original + field: _temp_.full_message patterns: - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. @@ -181,97 +184,120 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '106001'" field: "message" + description: "106001" pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106002'" field: "message" + description: "106002" pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - dissect: if: "ctx._temp_.cisco.message_id == '106006'" field: "message" + description: "106006" pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106007'" field: "message" + description: "106007" pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - grok: if: "ctx._temp_.cisco.message_id == '106010'" field: "message" + description: "106010" patterns: - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" - dissect: if: "ctx._temp_.cisco.message_id == '106013'" field: "message" + description: "106013" pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" - set: if: "ctx._temp_.cisco.message_id == '106013'" field: "network.transport" + description: "106013" value: icmp - set: if: "ctx._temp_.cisco.message_id == '106013'" field: "network.direction" + description: "106013" value: inbound - grok: if: "ctx._temp_.cisco.message_id == '106014'" field: "message" + description: "106014" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}(%{GREEDYDATA})?" + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" - grok: if: "ctx._temp_.cisco.message_id == '106015'" field: "message" + description: "106015" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106016'" field: "message" pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106016" - dissect: if: "ctx._temp_.cisco.message_id == '106017'" field: "message" pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" + description: "106017" - dissect: if: "ctx._temp_.cisco.message_id == '106018'" field: "message" pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + description: "106018" - dissect: if: "ctx._temp_.cisco.message_id == '106020'" field: "message" pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" + description: "106020" - dissect: if: "ctx._temp_.cisco.message_id == '106021'" field: "message" pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106021" - dissect: if: "ctx._temp_.cisco.message_id == '106022'" field: "message" pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106022" - grok: if: "ctx._temp_.cisco.message_id == '106023'" field: "message" + description: "106023" patterns: - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}" - dissect: if: "ctx._temp_.cisco.message_id == '106027'" field: "message" + description: "106027" pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' - dissect: if: "ctx._temp_.cisco.message_id == '106100'" field: "message" + description: "106100" pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" field: "message" + description: "106103" pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '111004'" field: "message" + description: "111004" pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" - set: field: event.outcome + description: "111004" value: "success" if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" - set: field: event.outcome + description: "111004" value: "failure" if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" - remove: @@ -279,296 +305,457 @@ processors: ignore_missing: true - append: field: event.type + description: "111004" value: "change" if: "ctx._temp_.cisco.message_id == '111004'" - grok: if: "ctx._temp_.cisco.message_id == '111009'" + description: "111009" field: "message" patterns: - "^%{NOTSPACE} '%{NOTSPACE:host.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" - grok: if: "ctx._temp_.cisco.message_id == '111010'" field: "message" + description: "111010" patterns: - "User '%{NOTSPACE:host.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" - dissect: if: "ctx._temp_.cisco.message_id == '113019'" field: "message" + description: "113019" pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}" - - dissect: + - grok: if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' field: "message" - pattern: "Built %{network.direction} %{network.transport} connection %{_temp_.cisco.connection_id} for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + description: "302013, 302015" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}" - dissect: if: "ctx._temp_.cisco.message_id == '303002'" field: "message" + description: "303002" pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" - dissect: if: "ctx._temp_.cisco.message_id == '302012'" field: "message" + description: "302012" pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" - grok: if: "ctx._temp_.cisco.message_id == '302020'" field: "message" + description: "302020" patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr %{IP:destination.address}/%{NUMBER} (%{DATA})?gaddr %{IP:_temp_.natsrcip}/%{NUMBER} laddr %{IP:source.address}/%{NUMBER}(%{GREEDYDATA})?" + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" + pattern_definitions: + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" - dissect: if: "ctx._temp_.cisco.message_id == '302022'" field: "message" - pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + description: "302022" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302023'" + field: "message" + description: "302023" + pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" - grok: if: "ctx._temp_.cisco.message_id == '304001'" field: "message" + description: "304001" patterns: - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" - value: allow + description: "304001" + value: success - dissect: if: "ctx._temp_.cisco.message_id == '304002'" field: "message" + description: "304002" pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '305011'" field: "message" - pattern: "Built %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + description: "305011" + patterns: + - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} - dissect: if: "ctx._temp_.cisco.message_id == '313001'" field: "message" + description: "313001" pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '313004'" field: "message" + description: "313004" pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" - dissect: if: "ctx._temp_.cisco.message_id == '313005'" field: "message" + description: "313005" pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" - dissect: if: "ctx._temp_.cisco.message_id == '313008'" field: "message" + description: "313008" pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '313009'" field: "message" + description: "313009" pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '322001'" field: "message" + description: "322001" pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '338001'" field: "message" + description: "338001" pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338001'" field: "server.domain" + description: "338001" value: "{{source.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338002'" field: "message" + description: "338002" pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - set: if: "ctx._temp_.cisco.message_id == '338002'" field: "server.domain" + description: "338002" value: "{{destination.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338003'" field: "message" + description: "338003" pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338004'" field: "message" + description: "338004" pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338005'" field: "message" + description: "338005" pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338005'" field: "server.domain" + description: "338005" value: "{{source.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338006'" field: "message" + description: "338006" pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338006'" field: "server.domain" + description: "338006" value: "{{destination.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338007'" field: "message" + description: "338007" pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338008'" field: "message" + description: "338008" pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338101'" field: "message" + description: "338101" pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" - set: if: "ctx._temp_.cisco.message_id == '338101'" field: "server.domain" + description: "338101" value: "{{source.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338102'" field: "message" + description: "338102" pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - set: if: "ctx._temp_.cisco.message_id == '338102'" field: "server.domain" + description: "338102" value: "{{destination.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338103'" field: "message" + description: "338103" pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" - dissect: if: "ctx._temp_.cisco.message_id == '338104'" field: "message" + description: "338104" pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" - dissect: if: "ctx._temp_.cisco.message_id == '338201'" field: "message" + description: "338201" pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338201'" field: "server.domain" + description: "338201" value: "{{source.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338202'" field: "message" + description: "338202" pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338202'" field: "server.domain" + description: "338202" value: "{{destination.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338203'" field: "message" + description: "338203" pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338203'" field: "server.domain" + description: "338203" value: "{{source.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338204'" field: "message" + description: "338204" pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338204'" field: "server.domain" + description: "338204" value: "{{destination.domain}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338301'" field: "message" + description: "338301" pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" - set: if: "ctx._temp_.cisco.message_id == '338301'" field: "client.address" + description: "338301" value: "{{destination.address}}" ignore_empty_value: true - set: if: "ctx._temp_.cisco.message_id == '338301'" field: "client.port" + description: "338301" value: "{{destination.port}}" ignore_empty_value: true - set: if: "ctx._temp_.cisco.message_id == '338301'" field: "server.address" + description: "338301" value: "{{source.address}}" ignore_empty_value: true - set: if: "ctx._temp_.cisco.message_id == '338301'" field: "server.port" + description: "338301" value: "{{source.port}}" ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '502103'" field: "message" + description: "502103" pattern: "User priv level changed: Uname: %{host.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" - append: if: "ctx._temp_.cisco.message_id == '502103'" field: "event.type" + description: "502103" value: - "group" - "change" - append: if: "ctx._temp_.cisco.message_id == '502103'" field: "event.category" + description: "502103" value: "iam" - dissect: if: "ctx._temp_.cisco.message_id == '507003'" field: "message" + description: "507003" pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" - dissect: if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' field: "message" + description: "605004, 605005" pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' - dissect: if: "ctx._temp_.cisco.message_id == '609001'" field: "message" + description: "609001" pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" - dissect: if: "ctx._temp_.cisco.message_id == '609002'" field: "message" + description: "609002" pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" - dissect: if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' field: "message" + description: "611102, 611101" pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{host.user.name}' - dissect: if: "ctx._temp_.cisco.message_id == '710003'" field: "message" - pattern: "%{network.transport} access denied by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + description: "710003" + pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '710005'" field: "message" - pattern: "%{network.transport} request discarded from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + description: "710005" + pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '713049'" field: "message" + description: "713049" pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '716002'" field: "message" - pattern: "Group %{} User %{source.user.name} IP %{source.address} WebVPN session terminated: User Requested." - - dissect: + description: "716002" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}." + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}." + - grok: if: "ctx._temp_.cisco.message_id == '722051'" field: "message" - pattern: "Group %{} User %{source.user.name} IP %{source.address} IPv4 Address %{_temp_.cisco.assigned_ip} %{}" + description: "722051" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" - dissect: if: "ctx._temp_.cisco.message_id == '733100'" field: "message" + description: "733100" pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" - dissect: if: "ctx._temp_.cisco.message_id == '734001'" field: "message" + description: "734001" pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" - dissect: if: "ctx._temp_.cisco.message_id == '805001'" field: "message" + description: "805001" pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - dissect: if: "ctx._temp_.cisco.message_id == '805002'" field: "message" + description: "805002" pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - split: field: "_temp_.cisco.dap_records" separator: ",\\s+" ignore_missing: true + - dissect: + if: "ctx._temp_.cisco.message_id == '434002'" + field: "message" + pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '434004'" + field: "message" + pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" + - dissect: + if: "ctx._temp_.cisco.message_id == '110002'" + field: "message" + pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '419002'" + field: "message" + pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" + - dissect: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + - dissect: + if: "ctx._temp_.cisco.message_id == '750002'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713120'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" + - dissect: + if: "ctx._temp_.cisco.message_id == '713202'" + field: "message" + pattern: "IP = %{source.address}, %{event.reason}. %{} packet." + - dissect: + if: "ctx._temp_.cisco.message_id == '750003'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" + - grok: + if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "message" + patterns: + - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" + # Handle ecs action outcome protocol + - set: + if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "unknown" + - set: + if: '["419002"].contains(ctx._temp_.cisco.message_id)' + field: "network.protocol" + value: "tcp" + - set: + if: '["110002"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["713120"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["713905", "713904", "713906", "713902", "713901", "710005"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "connection-started" + - set: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "error" + - append: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.type" + value: "error" # # Handle 302xxx messages (Flow expiration a.k.a "Teardown") @@ -577,12 +764,19 @@ processors: if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' field: "event.action" value: "flow-expiration" + description: "302012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" - grok: field: "message" if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" patterns: - - Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA} - - Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" @@ -599,6 +793,7 @@ processors: - kv: if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' field: "message" + description: "430001, 430002, 430003, 430004, 430005" field_split: ",(?=[A-za-z1-9\\s]+:)" value_split: ":" target_field: "_temp_.orig_security" @@ -607,14 +802,15 @@ processors: ignore_failure: true # - # Remove message. + # Remove _temp_.full_message. # # The field has been used as temporary buffer while decoding. The full message - # is kept log.original. Processors below can still add a message field, as some + # is kept under event.original. Processors below can still add a message field, as some # security events contain an explanatory Message field. - remove: field: - message + - _temp_.full_message ignore_missing: true # @@ -1015,7 +1211,6 @@ processors: "430003": connection-finished "430004": file-detected "430005": malware-detected - "dns.question.type": map: "a host address": A @@ -1027,14 +1222,12 @@ processors: "marks the start of a zone of authority": SOA "mail exchange": MX "server selection": SRV - "dns.response_code": map: "non-existent domain": NXDOMAIN "server failure": SERVFAIL "query refused": REFUSED "no error": NOERROR - source: | def getField(Map src, String[] path) { for (int i=0; i + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: internal + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: external + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.egress?.zone != null && + ctx?.observer?.ingress?.zone != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + ) + ) + + - set: + field: _temp_.url_domain + value: "{{url.domain}}" ignore_failure: true + if: ctx?.url?.domain != null - - convert: - field: "destination.nat.port" - type: integer + - uri_parts: + field: url.original ignore_failure: true + if: ctx?.url?.original != null + - append: + field: url.domain + value: "{{_temp_.url_domain}}" + ignore_failure: true + allow_duplicates: false + if: ctx?._temp_?.url_domain != null # # Populate ECS event.code # - - convert: + - rename: field: _temp_.cisco.message_id target_field: event.code - type: string ignore_failure: true - - remove: field: - _temp_.cisco.message_id - event.code if: 'ctx._temp_.cisco.message_id == ""' ignore_failure: true - # # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. # @@ -1435,14 +1711,12 @@ processors: field: _temp_.cisco target_field: "cisco.ftd" ignore_failure: true - # # Remove temporary fields # - remove: field: _temp_ ignore_missing: true - # # Rename some 7.x fields # @@ -1450,7 +1724,6 @@ processors: field: cisco.ftd.list_id target_field: cisco.ftd.rule_name ignore_missing: true - # ECS categorization - script: lang: painless @@ -1500,6 +1773,36 @@ processors: - malware type: - info + bypass: + kind: event + category: + - network + type: + - info + - change + error: + kind: event + outcome: failure + category: + - network + type: + - error + deleted: + kind: event + category: + - network + type: + - info + - deletion + - user + creation: + kind: event + category: + - network + type: + - info + - creation + - user source: >- if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { return; @@ -1507,22 +1810,28 @@ processors: ctx.event.kind = params.get(ctx.event.action).get('kind'); ctx.event.category = params.get(ctx.event.action).get('category').clone(); ctx.event.type = params.get(ctx.event.action).get('type').clone(); - if (ctx?.event?.outcome == null) { return; } if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) { - if (ctx.event.outcome == 'allow') { + if (ctx.event.outcome == 'success') { ctx.event.type.add('allowed'); } - if (ctx.event.outcome == 'deny') { + if (ctx.event.outcome == 'failure') { ctx.event.type.add('denied'); } if (ctx.event.outcome == 'block') { - ctx.event.type.add('denied'); + ctx.event.type.add('failure'); } } + - set: + description: copy destination.user.name to user.name if it is not set + field: user.name + value: "{{destination.user.name}}" + ignore_empty_value: true + if: ctx?.user?.name == null + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. - set: field: observer.hostname @@ -1553,11 +1862,21 @@ processors: value: "{{source.ip}}" if: "ctx?.source?.ip != null" allow_duplicates: false + - append: + field: related.ip + value: "{{source.nat.ip}}" + if: "ctx?.source?.nat?.ip != null" + allow_duplicates: false - append: field: related.ip value: "{{destination.ip}}" if: "ctx?.destination?.ip != null" allow_duplicates: false + - append: + field: related.ip + value: "{{destination.nat.ip}}" + if: "ctx?.destination?.nat?.ip != null" + allow_duplicates: false - append: field: related.user value: "{{user.name}}" @@ -1573,6 +1892,11 @@ processors: value: "{{source.user.name}}" if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' allow_duplicates: false + - append: + field: related.user + value: "{{destination.user.name}}" + if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' + allow_duplicates: false - append: field: related.hash value: "{{file.hash.sha256}}" @@ -1598,6 +1922,30 @@ processors: value: "{{source.domain}}" if: ctx.source?.domain != null && ctx.source?.domain != '' allow_duplicates: false + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); - remove: field: event.original if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" diff --git a/packages/cisco/data_stream/ftd/fields/ecs.yml b/packages/cisco/data_stream/ftd/fields/ecs.yml index d6720a1edbb..c5e862e306b 100644 --- a/packages/cisco/data_stream/ftd/fields/ecs.yml +++ b/packages/cisco/data_stream/ftd/fields/ecs.yml @@ -120,6 +120,28 @@ - name: network.transport type: keyword description: Protocol Name corresponding to the field `iana_number`. +- name: network.inner + level: extended + type: object + description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + default_field: false +- name: network.inner.vlan.id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false +- name: network.inner.vlan.name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false +- name: network.type + type: keyword + description: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - name: process.name type: keyword description: Process name. @@ -168,9 +190,6 @@ - name: source.port type: long description: Port of the source. -- name: url.original - type: keyword - description: Unmodified original url as seen in the event source. - name: user.email type: keyword description: User email address. @@ -356,15 +375,81 @@ - name: source.packets type: long description: Packets sent from the source to the destination. -- name: url.domain - type: keyword - description: Domain of the url. - name: user_agent.original type: keyword description: Unparsed user_agent string. -- name: log.syslog.facility.code +- name: syslog.facility.code type: long description: Syslog numeric facility of the event. -- name: log.syslog.priority +- name: syslog.priority type: long description: Syslog priority of the event. +- name: url + title: URL + group: 2 + type: group + fields: + - name: domain + type: keyword + description: 'Domain of the url, such as "www.elastic.co".' + - name: extension + type: keyword + ignore_above: 1024 + description: "The field contains the file extension from the original request url, excluding the leading dot." + - name: fragment + type: keyword + ignore_above: 1024 + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + - name: full + type: keyword + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + - name: original + type: keyword + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: "Unmodified original url as seen in the event source." + - name: password + type: keyword + ignore_above: 1024 + description: Password of the request. + - name: path + type: keyword + description: Path of the request, such as "/search". + - name: port + type: long + format: string + description: Port of the request, such as 443. + - name: query + type: keyword + ignore_above: 1024 + description: 'The query field describes the query string of the request, such as "q=elasticsearch".' + - name: registered_domain + type: keyword + description: "The highest registered url domain, stripped of the subdomain." + - name: scheme + type: keyword + ignore_above: 1024 + description: 'Scheme of the request, such as "https".' + - name: subdomain + type: keyword + ignore_above: 1024 + description: "The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain." + default_field: false + - name: top_level_domain + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".' + - name: username + type: keyword + ignore_above: 1024 + description: Username of the request. diff --git a/packages/cisco/data_stream/ftd/fields/fields.yml b/packages/cisco/data_stream/ftd/fields/fields.yml index 3294ec3c9ae..26b46deb169 100644 --- a/packages/cisco/data_stream/ftd/fields/fields.yml +++ b/packages/cisco/data_stream/ftd/fields/fields.yml @@ -82,69 +82,68 @@ - name: command_line_arguments default_field: false type: keyword - description: > + description: | The command line arguments logged by the local audit log - - name: assigned_ip default_field: false type: ip - description: > + description: | The IP address assigned to a VPN client successfully connecting - - name: privilege.old default_field: false type: keyword - description: > + description: | When a users privilege is changed this is the old value - - name: privilege.new default_field: false type: keyword - description: > + description: | When a users privilege is changed this is the new value - - name: burst.object default_field: false type: keyword - description: > + description: | The related object for burst warnings - - name: burst.id default_field: false type: keyword - description: > + description: | The related rate ID for burst warnings - - name: burst.current_rate default_field: false type: keyword - description: > + description: | The current burst rate seen - - name: burst.configured_rate default_field: false type: keyword - description: > + description: | The current configured burst rate - - name: burst.avg_rate default_field: false type: keyword - description: > + description: | The current average burst rate seen - - name: burst.configured_avg_rate default_field: false type: keyword - description: > + description: | The current configured average burst rate allowed - - name: burst.cumulative_count default_field: false type: keyword - description: > + description: | The total count of burst rate hits since the object was created or cleared - - name: security type: flattened description: Cisco FTD security event fields. + - name: webvpn.group_name + type: keyword + default_field: false + description: | + The WebVPN group name the user belongs to + - name: termination_user + default_field: false + type: keyword + description: |- + AAA name of user requesting termination diff --git a/packages/cisco/data_stream/ftd/manifest.yml b/packages/cisco/data_stream/ftd/manifest.yml index f9ea3c962a3..ff96bb4360b 100644 --- a/packages/cisco/data_stream/ftd/manifest.yml +++ b/packages/cisco/data_stream/ftd/manifest.yml @@ -15,6 +15,7 @@ streams: show_user: false default: - cisco-ftd + - forwarded - name: udp_host type: text title: UDP host to listen on @@ -29,6 +30,13 @@ streams: required: true show_user: true default: 9003 + - name: log_level + type: integer + title: Log Level + multi: false + required: true + show_user: false + default: 7 - name: preserve_original_event required: true show_user: true @@ -37,13 +45,15 @@ streams: type: bool multi: false default: false - - name: log_level - type: integer - title: Log Level + - name: processors + type: yaml + title: Processors multi: false - required: true + required: false show_user: false - default: 7 + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: logfile enabled: false title: Cisco FTD logs @@ -57,14 +67,6 @@ streams: show_user: true default: - /var/log/cisco-ftd.log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - name: tags type: text title: Tags @@ -73,6 +75,7 @@ streams: show_user: false default: - cisco-ftd + - forwarded - name: log_level type: integer title: Log Level @@ -80,3 +83,20 @@ streams: required: true show_user: false default: 7 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log b/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log index 532806a026c..d52c0d7b1b8 100644 --- a/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log +++ b/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log @@ -16,4 +16,4 @@ Mar 24 18:06:00 198.51.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: Us Mar 24 17:37:39 198.51.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3 Mar 24 17:37:39 198.51.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3 Mar 24 12:09:35 198.51.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0 -Mar 24 12:06:47 198.51.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19 +Mar 24 12:06:47 198.51.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19 \ No newline at end of file diff --git a/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json b/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json index 27e0c683f94..094fad2a2e4 100644 --- a/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json +++ b/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json @@ -27,7 +27,7 @@ "packets": 1 }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -38,13 +38,13 @@ "event": { "severity": 6, "sequence": 585917, - "ingested": "2021-06-03T06:53:40.219184164Z", + "ingested": "2021-06-09T10:11:36.356972400Z", "original": "Feb 8 04:00:48 198.51.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 198.51.100.197 -\u003e 224.0.0.22, 1 packet", "code": "IPACCESSLOGRP", "provider": "firewall", "action": "deny", "category": "network", - "type": "info" + "type": "denied" }, "cisco": { "ios": { @@ -83,7 +83,7 @@ "type": "20" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -94,13 +94,13 @@ "event": { "severity": 6, "sequence": 585918, - "ingested": "2021-06-03T06:53:40.219188906Z", + "ingested": "2021-06-09T10:11:36.356977500Z", "original": "Feb 9 04:00:48 198.51.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 198.51.100.2 -\u003e 224.0.0.2 (20), 1 packet", "code": "IPACCESSLOGSP", "provider": "firewall", "action": "deny", "category": "network", - "type": "info" + "type": "denied" }, "cisco": { "ios": { @@ -135,7 +135,7 @@ "packets": 1 }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -146,13 +146,13 @@ "event": { "severity": 6, "sequence": 585919, - "ingested": "2021-06-03T06:53:40.219190244Z", + "ingested": "2021-06-09T10:11:36.356978800Z", "original": "Feb 10 04:00:48 198.51.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 198.51.100.1 -\u003e 255.255.255.255, 1 packet", "code": "IPACCESSLOGNP", "provider": "firewall", "action": "deny", "category": "network", - "type": "info" + "type": "denied" }, "cisco": { "ios": { @@ -190,7 +190,7 @@ "packets": 9 }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -201,13 +201,13 @@ "event": { "severity": 6, "sequence": 585920, - "ingested": "2021-06-03T06:53:40.219191472Z", + "ingested": "2021-06-09T10:11:36.356979800Z", "original": "May 3 19:11:33 198.51.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2001:DB8::3(1027) -\u003e 2001:DB8:1000::1(22), 9 packets", "code": "ACCESSLOGP", "provider": "firewall", "action": "allow", "category": "network", - "type": "info" + "type": "allowed" }, "cisco": { "ios": { @@ -245,7 +245,7 @@ "packets": 1 }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -256,13 +256,13 @@ "event": { "severity": 6, "sequence": 1663303, - "ingested": "2021-06-03T06:53:40.219192695Z", + "ingested": "2021-06-09T10:11:36.356980800Z", "original": "Jun 20 02:41:40 198.51.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(55250) -\u003e 198.51.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", "category": "network", - "type": "info" + "type": "denied" }, "cisco": { "ios": { @@ -302,7 +302,7 @@ "packets": 1 }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -313,13 +313,13 @@ "event": { "severity": 6, "sequence": 1663304, - "ingested": "2021-06-03T06:53:40.219193857Z", + "ingested": "2021-06-09T10:11:36.356981800Z", "original": "Jun 20 02:41:45 198.51.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 198.51.100.1 -\u003e 198.51.100.2 (3/4), 1 packet", "code": "IPACCESSLOGDP", "provider": "firewall", "action": "deny", "category": "network", - "type": "info" + "type": "denied" }, "cisco": { "ios": { @@ -357,7 +357,7 @@ "packets": 1 }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -368,13 +368,13 @@ "event": { "severity": 6, "sequence": 1663312, - "ingested": "2021-06-03T06:53:40.219195040Z", + "ingested": "2021-06-09T10:11:36.356982800Z", "original": "Jun 20 02:42:28 198.51.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(54309) -\u003e 198.51.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", "category": "network", - "type": "info" + "type": "denied" }, "cisco": { "ios": { @@ -385,7 +385,7 @@ }, { "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "log": { "level": "informational", @@ -396,7 +396,7 @@ "event": { "severity": 6, "sequence": 1663313, - "ingested": "2021-06-03T06:53:40.219196195Z", + "ingested": "2021-06-09T10:11:36.356983800Z", "original": "Jun 20 02:42:28 198.51.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets", "code": "IPACCESSLOGRL", "provider": "firewall", @@ -442,7 +442,7 @@ "packets": 1 }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -453,13 +453,13 @@ "event": { "severity": 6, "sequence": 1663314, - "ingested": "2021-06-03T06:53:40.219197354Z", + "ingested": "2021-06-09T10:11:36.356984800Z", "original": "Jun 20 02:42:34 198.51.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(43989) -\u003e 198.51.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", "category": "network", - "type": "info" + "type": "denied" }, "cisco": { "ios": { @@ -512,7 +512,7 @@ "packets": 1 }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -523,13 +523,13 @@ "event": { "severity": 6, "sequence": 1663321, - "ingested": "2021-06-03T06:53:40.219198575Z", + "ingested": "2021-06-09T10:11:36.356985800Z", "original": "Jun 20 02:43:09 198.51.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59832) -\u003e 172.217.10.46(80), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", "category": "network", - "type": "info" + "type": "denied" }, "cisco": { "ios": { @@ -540,7 +540,7 @@ }, { "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "log": { "level": "informational", @@ -551,7 +551,7 @@ "event": { "severity": 6, "sequence": 1663325, - "ingested": "2021-06-03T06:53:40.219199726Z", + "ingested": "2021-06-09T10:11:36.356986800Z", "original": "Jun 20 02:43:29 198.51.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets", "code": "IPACCESSLOGRL", "provider": "firewall", @@ -599,7 +599,7 @@ "packets": 32 }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -610,13 +610,13 @@ "event": { "severity": 6, "sequence": 1663326, - "ingested": "2021-06-03T06:53:40.219201053Z", + "ingested": "2021-06-09T10:11:36.356987900Z", "original": "Jun 20 02:43:29 198.51.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 198.51.100.12 -\u003e 198.51.100.1 (3/3), 32 packets", "code": "IPACCESSLOGDP", "provider": "firewall", "action": "deny", "category": "network", - "type": "info" + "type": "denied" }, "cisco": { "ios": { @@ -669,7 +669,7 @@ "packets": 1 }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -680,13 +680,13 @@ "event": { "severity": 6, "sequence": 1663327, - "ingested": "2021-06-03T06:53:40.219202221Z", + "ingested": "2021-06-09T10:11:36.356988900Z", "original": "Jun 20 02:43:30 198.51.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59834) -\u003e 172.217.10.46(80), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", "category": "network", - "type": "info" + "type": "denied" }, "cisco": { "ios": { @@ -720,7 +720,7 @@ "type": "ipv4" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -733,7 +733,7 @@ "event": { "severity": 5, "sequence": 1991219, - "ingested": "2021-06-03T06:53:40.219203363Z", + "ingested": "2021-06-09T10:11:36.356989900Z", "original": "Mar 24 18:06:03 198.51.100.2 1991219: Mar 24 18:06:03.424 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021", "code": "LOGIN_SUCCESS", "provider": "firewall", @@ -749,7 +749,7 @@ }, { "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -776,7 +776,7 @@ "event": { "severity": 6, "sequence": 1991220, - "ingested": "2021-06-03T06:53:40.219204507Z", + "ingested": "2021-06-09T10:11:36.356990900Z", "original": "Mar 24 18:06:00 198.51.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: User john.smith has exited tty session 5(10.5.36.9)", "code": "LOGOUT", "provider": "firewall", @@ -823,7 +823,7 @@ "type": "ipv4" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -835,7 +835,7 @@ "severity": 6, "sequence": 1991221, "reason": "Invalid RP", - "ingested": "2021-06-03T06:53:40.219205649Z", + "ingested": "2021-06-09T10:11:36.356992Z", "original": "Mar 24 17:37:39 198.51.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", "code": "INVALID_RP_JOIN", "provider": "firewall", @@ -880,7 +880,7 @@ "type": "ipv4" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -892,7 +892,7 @@ "severity": 6, "sequence": 1991221, "reason": "Invalid RP", - "ingested": "2021-06-03T06:53:40.219206882Z", + "ingested": "2021-06-09T10:11:36.356993Z", "original": "Mar 24 17:37:39 198.51.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", "code": "INVALID_RP_JOIN", "provider": "firewall", @@ -919,7 +919,7 @@ }, { "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "log": { "level": "warning", @@ -930,7 +930,7 @@ "event": { "severity": 4, "sequence": 1991217, - "ingested": "2021-06-03T06:53:40.219208053Z", + "ingested": "2021-06-09T10:11:36.356994Z", "original": "Mar 24 12:09:35 198.51.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0", "code": "NOVALIDKEY", "provider": "firewall", @@ -949,7 +949,7 @@ }, { "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "log": { "level": "informational", @@ -960,7 +960,7 @@ "event": { "severity": 6, "sequence": 1991218, - "ingested": "2021-06-03T06:53:40.219209207Z", + "ingested": "2021-06-09T10:11:36.356995Z", "original": "Mar 24 12:06:47 198.51.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19", "code": "CALL_PRESERVED", "provider": "firewall", diff --git a/packages/cisco/data_stream/ios/agent/stream/stream.yml.hbs b/packages/cisco/data_stream/ios/agent/stream/stream.yml.hbs index 39855b826e7..118adc06c53 100644 --- a/packages/cisco/data_stream/ios/agent/stream/stream.yml.hbs +++ b/packages/cisco/data_stream/ios/agent/stream/stream.yml.hbs @@ -4,11 +4,17 @@ paths: {{/each}} exclude_files: [".gz$"] tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} {{#if preserve_original_event}} - - preserve_original_event + - preserve_original_event {{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains tags "forwarded"}} +publisher_pipeline.disable_host: true +{{/contains}} processors: - - add_locale: ~ +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco/data_stream/ios/agent/stream/udp.yml.hbs b/packages/cisco/data_stream/ios/agent/stream/udp.yml.hbs index 9bf5cf1f95f..8ab6545258c 100644 --- a/packages/cisco/data_stream/ios/agent/stream/udp.yml.hbs +++ b/packages/cisco/data_stream/ios/agent/stream/udp.yml.hbs @@ -1,11 +1,16 @@ host: "{{syslog_host}}:{{syslog_port}}" tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} {{#if preserve_original_event}} - - preserve_original_event + - preserve_original_event {{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} {{#contains tags "forwarded"}} publisher_pipeline.disable_host: true -{{/contains}} \ No newline at end of file +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco/data_stream/ios/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/data_stream/ios/elasticsearch/ingest_pipeline/default.yml index 3fb73b78d8a..8901313c471 100644 --- a/packages/cisco/data_stream/ios/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco/data_stream/ios/elasticsearch/ingest_pipeline/default.yml @@ -7,7 +7,11 @@ processors: value: '{{_ingest.timestamp}}' - set: field: ecs.version - value: '1.9.0' + value: '1.10.0' + - rename: + field: message + target_field: event.original + ignore_missing: true - set: field: event.category value: network @@ -17,9 +21,6 @@ processors: - set: field: event.type value: info - - rename: - field: message - target_field: event.original - dissect: field: event.original pattern: "%{_temp_.ts->} %{+_temp_.ts} %{+_temp_.ts->} %{log.source.address} %{event.sequence}: %{_temp_.timestamp}: %{_temp_.message}" @@ -38,58 +39,58 @@ processors: - dissect: field: message pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address}(%{source.port}) %{} %{destination.address}(%{destination.port}), %{source.packets} packet" - if: "['IPACCESSLOGP', 'ACCESSLOGP'].contains(ctx?.event?.code)" + if: "['IPACCESSLOGP', 'ACCESSLOGP'].contains(ctx.event?.code)" - dissect: field: message pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address} (%{icmp.type}/%{icmp.code}), %{source.packets} packet" - if: "['IPACCESSLOGDP', 'ACCESSLOGDP'].contains(ctx?.event?.code)" + if: "['IPACCESSLOGDP', 'ACCESSLOGDP'].contains(ctx.event?.code)" - dissect: field: message pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address}, %{source.packets} packet" - if: "ctx?.event?.code == 'IPACCESSLOGRP'" + if: "ctx.event?.code == 'IPACCESSLOGRP'" - dissect: field: message pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address} (%{igmp.type}), %{source.packets} packet" - if: "['IPACCESSLOGSP', 'ACCESSLOGSP'].contains(ctx?.event?.code)" + if: "['IPACCESSLOGSP', 'ACCESSLOGSP'].contains(ctx.event?.code)" - dissect: field: message pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.iana_number} %{source.address} %{} %{destination.address}, %{source.packets} packet" - if: "['IPACCESSLOGNP', 'ACCESSLOGNP'].contains(ctx?.event?.code)" + if: "['IPACCESSLOGNP', 'ACCESSLOGNP'].contains(ctx.event?.code)" - dissect: field: message pattern: "%{cisco.ios.action} %{_temp_.event.action} [user: %{source.user.name}] [Source: %{source.address}] [localport: %{destination.port}] at %{}" - if: "ctx?.event?.code == 'LOGIN_SUCCESS'" + if: "ctx.event?.code == 'LOGIN_SUCCESS'" - dissect: field: message pattern: "User %{source.user.name} has %{cisco.ios.action} %{cisco.ios.session.type} session %{cisco.ios.session.number}(%{source.address})" - if: "ctx?.event?.code == 'LOGOUT'" + if: "ctx.event?.code == 'LOGOUT'" - grok: field: message patterns: - 'Received \(%{PIM_SOURCE}, %{DATA:cisco.ios.pim.group.ip}\) %{WORD:cisco.ios.action} from %{IP:source.address} for %{DATA:cisco.ios.outcome} %{IP:destination.address}' pattern_definitions: PIM_SOURCE: (%{IP:cisco.ios.pim.source.ip}|%{DATA}) - if: "ctx?.event?.code == 'INVALID_RP_JOIN'" + if: "ctx.event?.code == 'INVALID_RP_JOIN'" - set: field: event.action value: "multicast-join" - if: ctx?.event?.code == "INVALID_RP_JOIN" + if: ctx.event?.code == "INVALID_RP_JOIN" - set: field: event.outcome value: "failure" - if: ctx?.event?.code == "INVALID_RP_JOIN" + if: ctx.event?.code == "INVALID_RP_JOIN" - set: field: event.reason value: "Invalid RP" - if: ctx?.event?.code == "INVALID_RP_JOIN" + if: ctx.event?.code == "INVALID_RP_JOIN" - set: field: destination.ip value: '{{ destination.address }}' - if: ctx?.destination?.address != null + if: ctx.destination?.address != null - set: field: source.ip value: '{{ source.address }}' - if: ctx?.source?.address != null + if: ctx.source?.address != null - convert: field: cisco.ios.pim.source.ip type: ip @@ -109,24 +110,31 @@ processors: - set: field: network.packets copy_from: source.packets - if: ctx?.source?.packets != null + if: ctx.source?.packets != null - set: field: network.type value: ipv4 - if: "ctx?.source?.ip != null && ctx?.source?.ip.contains('.')" + if: "ctx.source?.ip != null && ctx.source?.ip.contains('.')" - set: field: network.type value: ipv6 - if: "ctx?.source?.ip != null && ctx?.network?.type == null" + if: "ctx.source?.ip != null && ctx.network?.type == null" - set: field: event.action value: deny - if: "ctx?._temp_?.event?.action == 'denied'" + if: "ctx._temp_?.event?.action == 'denied'" + - set: + field: event.type + value: denied + if: "ctx.event?.action == 'deny'" - set: field: event.action value: allow - if: "ctx?._temp_?.event?.action == 'permitted'" - + if: "ctx._temp_?.event?.action == 'permitted'" + - set: + field: event.type + value: allowed + if: "ctx.event?.action == 'allow'" - set: field: "log.level" if: "ctx.event.severity == 0" @@ -176,16 +184,16 @@ processors: field: source.ip target_field: source.as properties: - - asn - - organization_name + - asn + - organization_name ignore_missing: true - geoip: database_file: GeoLite2-ASN.mmdb field: destination.ip target_field: destination.as properties: - - asn - - organization_name + - asn + - organization_name ignore_missing: true - rename: field: source.as.asn @@ -226,7 +234,7 @@ processors: ignore_missing: true - remove: field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" ignore_failure: true ignore_missing: true diff --git a/packages/cisco/data_stream/ios/manifest.yml b/packages/cisco/data_stream/ios/manifest.yml index dbf0b65d44e..cbbdb93b394 100644 --- a/packages/cisco/data_stream/ios/manifest.yml +++ b/packages/cisco/data_stream/ios/manifest.yml @@ -15,6 +15,7 @@ streams: show_user: false default: - cisco-ios + - forwarded - name: syslog_host type: text title: Host to listen on @@ -37,6 +38,15 @@ streams: type: bool multi: false default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: logfile enabled: false title: Cisco IOS logs @@ -50,6 +60,15 @@ streams: show_user: true default: - /var/log/cisco-ios.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ios + - forwarded - name: preserve_original_event required: true show_user: true @@ -58,11 +77,11 @@ streams: type: bool multi: false default: false - - name: tags - type: text - title: Tags - multi: true - required: true + - name: processors + type: yaml + title: Processors + multi: false + required: false show_user: false - default: - - cisco-ios + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log b/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log new file mode 100644 index 00000000000..05501480e40 --- /dev/null +++ b/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log @@ -0,0 +1,100 @@ +modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny +umdo 1455282753.itessequ vol_ events dhcp lease of ip 10.102.218.31 from server mac 01:00:5e:9c:c2:9c for client mac 01:00:5e:0f:87:e3 from router 10.15.16.212 on subnet ameaqu with dns aqu +uipexea 1456517708.tatio minim_ flows ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe +mipsu 1457752662.consec taliquip_ flows radip flows block src=10.155.236.240 dst=10.112.46.169 mac=01:00:5e:7a:74:89 protocol=ipv6 type=roidents +obeataev 1458987616.lor uidexea_appliance events MAC 01:00:5e:e1:89:ac and MAC 01:00:5e:a3:d9:ac both claim IP: 10.14.107.140 +iutal 1460222571.dexe urerep events content_filtering_block url='https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu' category0='ari' server='10.108.180.105:5098' client_mac='01:00:5e:40:9b:83' +ipit 1461457525.idexea riat_appliance events MAC 01:00:5e:25:4f:e4 and MAC 01:00:5e:3f:49:e4 both claim IP: 10.149.88.198 +ntsuntin 1462692479.aecatcup animi events dhcp release for mac 01:00:5e:e3:10:34 +orsitame 1463927433.quiratio ite events MAC 01:00:5e:48:62:22 and MAC 01:00:5e:9f:b6:a6 both claim IP: 10.243.206.225 +olupta turveli.toccae tatno_ ids-alerts taliqu ids-alerts signature=temUten priority=ccusan timestamp=1465162388.iqudirection=outbound protocol=icmp src=10.131.82.116:7307 +uaera 1466397342.sitas ehenderi_ security_event atquovosecurity_event iumto url=https://www5.example.net/sun/essecill.html?saute=vel#quu src=10.210.213.18:7616 dst=10.134.0.141:2703 mac=01:00:5e:aa:42:fa name=idolores sha256=llumquid disposition=tation action=accept +omn ipsumq.atcu oremagna_ security_event remipsum security_event liq signature=ist priority=tnon timestamp=1467632296.ionul shost=01:00:5e:c8:9c:2f direction=outbound protocol=udp src=10.163.72.17 dst=10.74.237.180 message:nsequu +omm 1468867250.idestla Nemoeni_appliance events MAC 01:00:5e:c4:69:7f and MAC 01:00:5e:e2:67:d2 both claim IP: 10.72.31.26 +agna tionemu.eomnisis mqui ids-alerts signature=civeli priority=errorsi timestamp=1470102205.desdirection=internal protocol=tcp src=10.70.95.74:4290 +olupt 1471337159.dit sumquiad events MAC 01:00:5e:ea:e8:7a and MAC 01:00:5e:9c:d2:4a both claim IP: 10.17.21.125 +amqu 1472572113.uines nsec events dhcp lease of ip 10.85.10.165 from server mac 01:00:5e:63:93:48 for client mac 01:00:5e:46:17:35 from router 10.53.150.119 on subnet uiineavo with dns tisetq +giatquov eritquii.dexeac iscinge ids-alerts signature=atvol priority=umiur timestamp=1473807067.imadprotocol=igmp src=10.88.231.224 dst=10.187.77.245message: iadese +agnaali 1475042022.gnam tat events content_filtering_block url='https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci' category0='aqu' server='10.186.58.115:7238' client_mac='01:00:5e:8f:16:6d' +apariat 1476276976.tlabore untmolli_ events dhcp lease of ip 10.219.84.37 from server mac 01:00:5e:e8:bf:69 for client mac 01:00:5e:87:e1:a0 from router 10.205.47.51 on subnet uovolup with dns samvolu +ento 1477511930.pic evita events MAC 01:00:5e:ce:61:db and MAC 01:00:5e:ec:f8:cc both claim IP: 10.3.134.237 +tmo 1478746884.fficiade uscipit events aid=vitaedi arp_resp=fugitse arp_src=veniamq auth_neg_dur=one auth_neg_failed=etMalor channel=ipi dns_req_rtt=reseos dns_resp=pariatu dns_server=tin duration=48.123000 full_conn=oquisqu identity=sperna ip_resp=eabilloi ip_src=10.182.178.217 is_8021x=tlab is_wpa=volupt last_auth_ago=osqui radio=xerc reason=iutali rssi=fdeFi type=texp vap=tasuntex client_mac=01:00:5e:e3:b1:24 client_ip=10.194.114.58 instigator=ectio http_resp=dutper dhcp_lease_completed=lamcolab dhcp_ip=ati dhcp_server=tlabo dhcp_server_mac=uames dhcp_resp=iduntu url=https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate category0=ncidid server=10.63.194.87 vpn_type=quisno connectivity=sin +emvel 1479981839.tmollita fde events aid=nsecte arp_resp=inculpa arp_src=abo auth_neg_dur=veniamqu auth_neg_failed=nse channel=non dns_req_rtt=paquioff dns_resp=mquisnos dns_server=maven duration=71.798000 full_conn=atcu identity=labor ip_resp=didunt ip_src=10.153.0.77 is_8021x=udan is_wpa=orema last_auth_ago=invento radio=qua reason=aturQui rssi=utlabor type=rau vap=idex client_mac=01:00:5e:9e:7b:a4 client_ip=10.105.88.20 instigator=ecte http_resp=tinvolu dhcp_lease_completed=iurer dhcp_ip=iciadese dhcp_server=quidolor dhcp_server_mac=tessec dhcp_resp=olupta url=https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt category0=siste server=10.163.154.210 vpn_type=ept connectivity=iumtotam +ionevo 1481216793.ugiatnu ciati_appliance events MAC 01:00:5e:b8:7a:96 and MAC 01:00:5e:b9:6b:a8 both claim IP: 10.73.69.176 +spi 1482451747.stquido ommodico_ flows ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp +smo etcons.iusmodi uamest_ security_event uiac security_event epte signature=idolo priority=quinesc timestamp=1483686701.madmi shost=01:00:5e:1c:4c:64 direction=internal protocol=icmp src=10.31.77.157 dst=10.12.182.70 message:tev +nisiuta 1484921656.roid inibusB flows cancel +str 1486156610.idolore pid_ flows cteturad flows deny src=10.93.68.231 dst=10.135.217.12 mac=01:00:5e:4a:69:5b protocol=ipv6 type=archite +amnih 1487391564.ium esciuntN_ events dhcp release for mac 01:00:5e:8b:99:98 +isnost 1488626519.queips ncidi_ flows iscinge flows src=10.247.30.212 dst=10.66.89.5 mac=01:00:5e:7f:65:da protocol=igmp pattern: 1 borios +oin 1489861473.mvenia madminim events IDS: fugitsed +dmin fugi.quia iduntu security_event idestlab signature=rnatur priority=ofdeFin timestamp=1491096427.essequam dhost=01:00:5e:c1:53:b1 direction=inbound protocol=tcp src=10.221.102.245 dst=10.173.136.186 message:naal +umqu tinv.adipisc uscipitl_ ids-alerts ritatise ids-alerts signature=uamei priority=siut timestamp=1492331381.ciad dhost=01:00:5e:1f:c6:29 direction=external protocol=udp src=10.58.64.108 dst=10.54.37.86 message: entorev +velitess 1493566336.naali uunturm_ flows veli flows block src=10.147.76.202 dst=10.163.93.20 mac=01:00:5e:1d:85:ec protocol=ipv6 sport=1085 dport=3141 +iumdol tpersp.stla uptatema_ security_event uradi security_event tot signature=llamco priority=nea timestamp=1494801290.psum dhost=01:00:5e:35:71:1e direction=internal protocol=icmp src=10.0.200.27:5905 dst=10.183.44.198:1702 message:asiarc +tiaec 1496036244.rumwrit icabo_ events dhcp lease of ip 10.148.124.84 from server mac 01:00:5e:0b:2c:22 for client mac 01:00:5e:06:12:98 from router 10.28.144.180 on subnet ritin with dns temporin +ica 1497271198.lillum remips_appliance events aid=uisaute arp_resp=imide arp_src=poriss auth_neg_dur=tvolup auth_neg_failed=itesseq channel=dictasun dns_req_rtt=veniamqu dns_resp=rum dns_server=quaea duration=165.611000 full_conn=mvel identity=nof ip_resp=usmodi ip_src=10.204.230.166 is_8021x=dat is_wpa=aincidu last_auth_ago=nimadmin radio=isiu reason=licabo rssi=enimadmi type=utaliqu vap=dic client_mac=01:00:5e:bb:60:a6 client_ip=10.62.71.118 instigator=ineavol http_resp=iosa dhcp_lease_completed=boNemoe dhcp_ip=onsequ dhcp_server=equinesc dhcp_server_mac=cab dhcp_resp=atisund url=https://example.net/ites/isetq.gif?nisiut=tur#avolupt category0=ariatur server=10.98.194.212 vpn_type=nimave connectivity=isciv +dipisci 1498506153.spernatu admi events content_filtering_block url='https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori' category0='borisnis' server='10.197.13.39:5912' +itsedd 1499741107.leumiur eratvol events dhcp release for mac 01:00:5e:fd:84:bb +leumiu tla.item nimid ids-alerts signature=dat priority=periam timestamp=1500976061.dquprotocol=icmp src=10.242.77.170 dst=10.150.245.88message: orisn +sitam rad.loi isc_ ids-alerts volupt ids-alerts signature=rem priority=idid timestamp=1502211015.tesse shost=01:00:5e:9d:eb:fb direction=external protocol=tcp src=10.247.139.239 dst=10.180.195.43 message: tenatuse +tore 1503445970.elits consequa events dhcp release for mac 01:00:5e:50:48:c4 +undeom uamnihi.risnis uov_ ids-alerts isn ids-alerts signature=sBono priority=loremqu timestamp=1504680924.teturprotocol=rdp src=10.94.6.140 dst=10.147.15.213message: uptat +itasper 1505915878.uae mve_ flows obeata flows block src=10.230.6.127 dst=10.111.157.56 mac=01:00:5e:39:a7:fc protocol=icmp type=aliquamq +archite 1507150832.remq veniamq events aid=occ arp_resp=oloreseo arp_src=iruredol auth_neg_dur=veniamqu auth_neg_failed=licaboN channel=atquo dns_req_rtt=cupi dns_resp=strude dns_server=eritin duration=85.513000 full_conn=litsedq identity=nderiti ip_resp=ntNe ip_src=10.179.40.170 is_8021x=olorema is_wpa=mollita last_auth_ago=tatem radio=iae reason=quido rssi=emip type=inBC vap=mol client_mac=01:00:5e:58:2d:1c client_ip=10.153.81.206 instigator=rsita http_resp=nsequun dhcp_lease_completed=eetd dhcp_ip=illu dhcp_server=iatqu dhcp_server_mac=lorsi dhcp_resp=repreh url=https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi category0=uamei server=10.193.219.34 vpn_type=onse connectivity=olorem +umwritte 1508385787.vol oremquel_appliance events MAC 01:00:5e:16:5e:b1 and MAC 01:00:5e:ee:e8:77 both claim IP: 10.255.199.16 +unte 1509620741.uamnihil llam_appliance events MAC 01:00:5e:ee:1d:77 and MAC 01:00:5e:f1:21:bd both claim IP: 10.94.88.5 +esci 1510855695.uov quaeab_ events IDS: moles +accusa 1512090649.natu liquid events IDS: enim +dquiaco nibus.vitaed ser security_event etconsec signature=elillum priority=upt timestamp=1513325604.rnat dhost=01:00:5e:01:60:e0 direction=internal protocol=ipv6 src=10.90.99.245 dst=10.124.63.4 message:pta +tetura 1514560558.imadmini moe_appliance events content_filtering_block url='https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori' category0='laudan' server='10.249.7.146:2010' +lapar 1515795512.ritati edquia_appliance events IDS: itesse +amvolu mip.tion tobeatae_ security_event Utenima security_event iqua signature=luptat priority=deriti timestamp=1517030466.sintocc dhost=01:00:5e:c9:b7:22 direction=inbound protocol=icmp src=10.196.96.162 dst=10.81.234.34 message:equuntur +uide 1518265421.scivel henderi_appliance events IDS: iusmodt +tiumd 1519500375.ntmoll mexer events dhcp lease of ip 10.40.101.224 from server mac 01:00:5e:0a:df:72 for client mac 01:00:5e:7c:01:ab with hostname remips188.api.invalid from router 10.78.199.43 on subnet ehender with dns ilmole +runtmo 1520735329.ore isund_appliance events MAC 01:00:5e:17:87:3e and MAC 01:00:5e:5f:c1:3e both claim IP: 10.244.29.119 +tutlabor 1521970284.reseosq gna_ flows pteurs flows deny src=10.83.131.245 dst=10.39.172.93 mac=01:00:5e:c4:12:c7 protocol=udp type=uido +osquira 1523205238.umd sciveli_ events dhcp lease of ip 10.86.188.179 from server mac 01:00:5e:48:4b:78 for client mac 01:00:5e:7e:cd:15 from router 10.201.168.116 on subnet umiure with dns laborum +umdolors 1524440192.lumdo acom_ security_event umexercisecurity_event duntut url=https://mail.example.com/prehend/eufug.htm?eufug=est#civelits src=10.148.211.222:2053 dst=10.122.204.151:3903 mac=01:00:5e:c3:a0:dc name=ine sha256=urerepre disposition=asnulap action=deny +atnul 1525675146.umfugi stquidol_ flows luptatem flows accept +essequam ueporro.aliqu upt ids-alerts signature=orum priority=Bonoru timestamp=1526910101.madminimprotocol=ipv6-icmp src=10.97.46.16 dst=10.120.4.9message: teni +lorsitam tanimid.onpr litseddo_ ids-alerts oremqu ids-alerts signature=idex priority=radip timestamp=1528145055.uptaprotocol=ipv6-icmp src=10.171.206.139 dst=10.165.173.162message: lestia +inibusB 1529380009.nostrud cteturad events dhcp lease of ip 10.150.163.151 from server mac 01:00:5e:72:b7:79 for client mac 01:00:5e:f2:d3:12 with hostname uames4985.mail.localdomain from router 10.144.57.239 on subnet oinBCSed with dns orem +eritq rehen.ipsamvol elillum_ ids-alerts tco ids-alerts signature=tvol priority=oluptate timestamp=1530614963.lit shost=01:00:5e:ac:6d:d3 direction=unknown protocol=igmp src=10.52.202.158 dst=10.54.44.231 message: Ute +runtm 1531849918.eturadip olorsi_ events MAC 01:00:5e:67:1d:0f and MAC 01:00:5e:f0:a9:cd both claim IP: 10.101.183.86 +inesciu 1533084872.quid atcupid_ flows orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi +lamco 1534319826.cit siar events MAC 01:00:5e:80:cd:ca and MAC 01:00:5e:45:aa:51 both claim IP: 10.83.130.95 +hite 1535554780.ianonnum nofdeFi events aid=henderit arp_resp=remq arp_src=unt auth_neg_dur=tla auth_neg_failed=arch channel=lite dns_req_rtt=ugia dns_resp=meum dns_server=borumSec duration=91.439000 full_conn=nvolupta identity=tev ip_resp=nre ip_src=10.2.110.73 is_8021x=eturadip is_wpa=ent last_auth_ago=rumSecti radio=Utenima reason=olore rssi=orumS type=olor vap=radip client_mac=01:00:5e:59:bf:36 client_ip=10.230.98.81 instigator=aaliquaU http_resp=olu dhcp_lease_completed=iameaque dhcp_ip=identsun dhcp_server=ender dhcp_server_mac=inc dhcp_resp=tect url=https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq category0=uidolo server=10.103.49.129 vpn_type=oquisq connectivity=abori +dunt 1536789735.ames amni events aid=tatio arp_resp=amquisno arp_src=modoc auth_neg_dur=magnam auth_neg_failed=uinesc channel=cid dns_req_rtt=emi dns_resp=Bonorum dns_server=lesti duration=59.289000 full_conn=iosamni identity=idu ip_resp=sis ip_src=10.158.61.228 is_8021x=tsedquia is_wpa=its last_auth_ago=umdolor radio=isiu reason=assi rssi=eserun type=rvelill vap=lupta client_mac=01:00:5e:e6:a6:a2 client_ip=10.186.16.20 instigator=tisu http_resp=remagnam dhcp_lease_completed=nvolupt dhcp_ip=meiusm dhcp_server=nidolo dhcp_server_mac=atquovol dhcp_resp=quunt url=https://www.example.com/seq/moll.htm?sunt=dquianon#urExc category0=tDuis server=10.132.176.96 vpn_type=aria connectivity=inim +oremeumf 1538024689.lesti sintocca events dhcp lease of ip 10.105.136.146 from server mac 01:00:5e:bb:aa:f6 for client mac 01:00:5e:69:92:4a with hostname lors2232.api.example from router 10.46.217.155 on subnet amnihil with dns orissus +nimadmin 1539259643.lumqui quiavolu flows src=10.245.199.23 dst=10.123.62.215 mac=01:00:5e:1f:7f:1d protocol=udp pattern: 0 iusmodt +rep 1540494597.remap deri flows cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6 +idexeac 1541729552.nimadmin midest_appliance events aid=modt arp_resp=iduntutl arp_src=rsitam auth_neg_dur=xercit auth_neg_failed=ulpaquio channel=itqu dns_req_rtt=minimav dns_resp=smodtem dns_server=roquisqu duration=116.294000 full_conn=iquid identity=evo ip_resp=mcorpori ip_src=10.196.176.243 is_8021x=itesse is_wpa=expl last_auth_ago=essecill radio=totamre reason=rpo rssi=velites type=nonpro vap=nula client_mac=01:00:5e:99:a6:b4 client_ip=10.90.50.149 instigator=nemulla http_resp=asp dhcp_lease_completed=dexercit dhcp_ip=amn dhcp_server=itessequ dhcp_server_mac=porissu dhcp_resp=umd url=https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames category0=tconsec server=10.16.230.121 vpn_type=laboree connectivity=udantiu +ttenb olor.quiav gna security_event Nem signature=tdolorem priority=eacomm timestamp=1542964506.upidata dhost=01:00:5e:6a:c8:f8 direction=unknown protocol=ipv6 src=10.246.152.72:4293 dst=10.34.62.190:1641 message:eve +quisn 1544199460.rem ulamcola events dhcp no offers for mac 01:00:5e:67:fc:cb +eruntmo 1545434414.nimve usanti_ events dhcp release for mac 01:00:5e:7d:de:f7 +uatu 1546669369.olupta consequu_ events dhcp release for mac 01:00:5e:6b:96:f2 +sitam inibusBo.illoin emUtenim ids-alerts signature=ende priority=dexea timestamp=1547904323.acoprotocol=ipv6 src=10.244.32.189 dst=10.121.9.5message: uptas +edol 1549139277.sequuntu quameius_ events content_filtering_block url='https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor' category0='auto' server='10.41.124.15:333' +antium 1550374232.remaper eseosq events dhcp no offers for mac 01:00:5e:c3:77:27 +oditau 1551609186.onsec dit events MAC 01:00:5e:19:86:21 and MAC 01:00:5e:ed:ed:79 both claim IP: 10.43.235.230 +asper dictasun.psa lorese_ ids-alerts ctobeat ids-alerts signature=onsec priority=idestl timestamp=1552844140.litani shost=01:00:5e:a0:b2:c9 direction=unknown protocol=icmp src=10.199.19.205:5823 dst=10.103.91.159:7116 message: ntut +estiaec 1554079094.pitlabo tas_appliance flows src=10.17.111.91 dst=10.65.0.157 mac=01:00:5e:49:c4:17 protocol=udp pattern: 1 nostrum +ercitati 1555314049.atem serro flows cancel +amquaera 1556549003.rsitamet leumiur events MAC 01:00:5e:fd:79:9e and MAC 01:00:5e:4d:c0:dd both claim IP: 10.20.130.88 +abill ametcon.ofdeFini tasnu_ ids-alerts tionev ids-alerts signature=uasiarch priority=velites timestamp=1557783957.uredolorprotocol=ipv6 src=10.177.64.152 dst=10.140.242.86message: temporin +lor nvolupt.dquia ora_ security_event dipi security_event ecatc signature=quovolu priority=ite timestamp=1559018911.itse shost=01:00:5e:b8:73:c8 direction=external protocol=icmp src=10.199.103.185:2449 dst=10.51.121.223:24 message:stenat +saq 1560253866.asiarch ssuscipi events MAC 01:00:5e:93:48:61 and MAC 01:00:5e:21:c2:55 both claim IP: 10.126.242.58 +tlab 1561488820.vel ionevo events dhcp release for mac 01:00:5e:8a:1a:f9 +aeab 1562723774.uradipis aerat_ flows uira flows deny src=10.121.37.244 dst=10.113.152.241 mac=01:00:5e:9c:86:62 protocol=udp type=utaliqui +nesciu 1563958728.mali roinBCSe_appliance events aid=eetdolor arp_resp=tpersp arp_src=assi auth_neg_dur=rch auth_neg_failed=psa channel=nreprehe dns_req_rtt=pidatatn dns_resp=isno dns_server=luptatev duration=39.622000 full_conn=lla identity=urau ip_resp=aeca ip_src=10.247.118.132 is_8021x=atcupi is_wpa=enima last_auth_ago=uptateve radio=fugitsed reason=lumqui rssi=ectet type=ionu vap=eratv client_mac=01:00:5e:10:8b:c3 client_ip=10.153.33.99 instigator=liq http_resp=xerc dhcp_lease_completed=atisetqu dhcp_ip=squir dhcp_server=gnaaliq dhcp_server_mac=quam dhcp_resp=deriti url=https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae category0=tevel server=10.254.96.130 vpn_type=ita connectivity=iquipexe +tot 1565193683.reme emeumfu events aid=inBCSedu arp_resp=ita arp_src=ade auth_neg_dur=nihilmol auth_neg_failed=nder channel=ano dns_req_rtt=rumexer dns_resp=eab dns_server=iaconseq duration=18.963000 full_conn=eli identity=rissusci ip_resp=ectetur ip_src=10.101.13.122 is_8021x=oconsequ is_wpa=roqui last_auth_ago=oluptate radio=ntut reason=mremaper rssi=uteirur type=ntium vap=ide client_mac=01:00:5e:95:ae:d0 client_ip=10.78.143.52 instigator=ntiumdol http_resp=conse dhcp_lease_completed=aturve dhcp_ip=edqui dhcp_server=tvolu dhcp_server_mac=psu dhcp_resp=strud url=https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate category0=udanti server=10.200.98.243 vpn_type=cteturad connectivity=umq +oinvento 1566428637.mporin orissusc_appliance events content_filtering_block url='https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec' category0='lorem' server='10.247.205.185:7676' client_mac='01:00:5e:6f:21:c8' +metMa emoen.ptate mipsumqu_ ids-alerts ccusa ids-alerts signature=billo priority=doloremi timestamp=1567663591.ectetura dhost=01:00:5e:0a:88:bb direction=inbound protocol=ipv6 src=10.195.90.73:3914 dst=10.147.165.30:7662 message: idents +veniamqu 1568898545.iconsequ ueporr_appliance events IDS: empor +atDuisa mipsa.uas iat ids-alerts signature=hite priority=adipis timestamp=1570133500.abo dhost=01:00:5e:dd:cb:5b direction=inbound protocol=udp src=10.137.166.97 dst=10.162.202.14 message: ipsaqua +deom 1571368454.tiumdo rautod_appliance events content_filtering_block url='https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu' category0='adeserun' server='10.227.135.142:6598' +orese 1572603408.umdolore umqui_appliance events MAC 01:00:5e:f1:b8:3a and MAC 01:00:5e:37:9c:af both claim IP: 10.199.29.19 +explicab 1573838362.samvolu teiru_appliance events dhcp no offers for mac 01:00:5e:b8:06:92 +rissusci 1575073317.uaturQ iusmod_ events aid=mips arp_resp=iduntutl arp_src=mipsumd auth_neg_dur=eiusmo auth_neg_failed=quelauda channel=rcit dns_req_rtt=dolo dns_resp=ulamc dns_server=doe duration=10.574000 full_conn=remquela identity=toreve ip_resp=squirat ip_src=10.85.59.172 is_8021x=mto is_wpa=iae last_auth_ago=dent radio=Uten reason=tatiset rssi=sequat type=modoco vap=beataevi client_mac=01:00:5e:92:d8:95 client_ip=10.158.215.216 instigator=deritin http_resp=ptate dhcp_lease_completed=lloi dhcp_ip=nseq dhcp_server=equunt dhcp_server_mac=tutla dhcp_resp=usmod url=https://example.com/qui/itse.gif?orsitame=tasn#exeaco category0=upta server=10.75.122.111 vpn_type=reprehe connectivity=deFinib +orr 1576308271.pre aute events IDS: rchite diff --git a/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-config.yml b/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json b/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json new file mode 100644 index 00000000000..c3bcd4a09b6 --- /dev/null +++ b/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json @@ -0,0 +1,1204 @@ +{ + "expected": [ + { + "ecs": { + "version": "1.10.0" + }, + "message": "modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny", + "event": { + "ingested": "2021-06-09T10:11:36.698782600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "umdo 1455282753.itessequ vol_ events dhcp lease of ip 10.102.218.31 from server mac 01:00:5e:9c:c2:9c for client mac 01:00:5e:0f:87:e3 from router 10.15.16.212 on subnet ameaqu with dns aqu", + "event": { + "ingested": "2021-06-09T10:11:36.698787300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "uipexea 1456517708.tatio minim_ flows ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe", + "event": { + "ingested": "2021-06-09T10:11:36.698788600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "mipsu 1457752662.consec taliquip_ flows radip flows block src=10.155.236.240 dst=10.112.46.169 mac=01:00:5e:7a:74:89 protocol=ipv6 type=roidents ", + "event": { + "ingested": "2021-06-09T10:11:36.698789800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "obeataev 1458987616.lor uidexea_appliance events MAC 01:00:5e:e1:89:ac and MAC 01:00:5e:a3:d9:ac both claim IP: 10.14.107.140", + "event": { + "ingested": "2021-06-09T10:11:36.698790900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "iutal 1460222571.dexe urerep events content_filtering_block url='https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu' category0='ari' server='10.108.180.105:5098' client_mac='01:00:5e:40:9b:83'", + "event": { + "ingested": "2021-06-09T10:11:36.698791900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ipit 1461457525.idexea riat_appliance events MAC 01:00:5e:25:4f:e4 and MAC 01:00:5e:3f:49:e4 both claim IP: 10.149.88.198", + "event": { + "ingested": "2021-06-09T10:11:36.698793Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ntsuntin 1462692479.aecatcup animi events dhcp release for mac 01:00:5e:e3:10:34", + "event": { + "ingested": "2021-06-09T10:11:36.698794Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "orsitame 1463927433.quiratio ite events MAC 01:00:5e:48:62:22 and MAC 01:00:5e:9f:b6:a6 both claim IP: 10.243.206.225", + "event": { + "ingested": "2021-06-09T10:11:36.698795Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "olupta turveli.toccae tatno_ ids-alerts taliqu ids-alerts signature=temUten priority=ccusan timestamp=1465162388.iqudirection=outbound protocol=icmp src=10.131.82.116:7307", + "event": { + "ingested": "2021-06-09T10:11:36.698796100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "uaera 1466397342.sitas ehenderi_ security_event atquovosecurity_event iumto url=https://www5.example.net/sun/essecill.html?saute=vel#quu src=10.210.213.18:7616 dst=10.134.0.141:2703 mac=01:00:5e:aa:42:fa name=idolores sha256=llumquid disposition=tation action=accept", + "event": { + "ingested": "2021-06-09T10:11:36.698797100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "omn ipsumq.atcu oremagna_ security_event remipsum security_event liq signature=ist priority=tnon timestamp=1467632296.ionul shost=01:00:5e:c8:9c:2f direction=outbound protocol=udp src=10.163.72.17 dst=10.74.237.180 message:nsequu", + "event": { + "ingested": "2021-06-09T10:11:36.698798200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "omm 1468867250.idestla Nemoeni_appliance events MAC 01:00:5e:c4:69:7f and MAC 01:00:5e:e2:67:d2 both claim IP: 10.72.31.26", + "event": { + "ingested": "2021-06-09T10:11:36.698799200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "agna tionemu.eomnisis mqui ids-alerts signature=civeli priority=errorsi timestamp=1470102205.desdirection=internal protocol=tcp src=10.70.95.74:4290", + "event": { + "ingested": "2021-06-09T10:11:36.698800200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "olupt 1471337159.dit sumquiad events MAC 01:00:5e:ea:e8:7a and MAC 01:00:5e:9c:d2:4a both claim IP: 10.17.21.125", + "event": { + "ingested": "2021-06-09T10:11:36.698801300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "amqu 1472572113.uines nsec events dhcp lease of ip 10.85.10.165 from server mac 01:00:5e:63:93:48 for client mac 01:00:5e:46:17:35 from router 10.53.150.119 on subnet uiineavo with dns tisetq", + "event": { + "ingested": "2021-06-09T10:11:36.698802300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "giatquov eritquii.dexeac iscinge ids-alerts signature=atvol priority=umiur timestamp=1473807067.imadprotocol=igmp src=10.88.231.224 dst=10.187.77.245message: iadese", + "event": { + "ingested": "2021-06-09T10:11:36.698803300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "agnaali 1475042022.gnam tat events content_filtering_block url='https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci' category0='aqu' server='10.186.58.115:7238' client_mac='01:00:5e:8f:16:6d'", + "event": { + "ingested": "2021-06-09T10:11:36.698804400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "apariat 1476276976.tlabore untmolli_ events dhcp lease of ip 10.219.84.37 from server mac 01:00:5e:e8:bf:69 for client mac 01:00:5e:87:e1:a0 from router 10.205.47.51 on subnet uovolup with dns samvolu", + "event": { + "ingested": "2021-06-09T10:11:36.698805400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ento 1477511930.pic evita events MAC 01:00:5e:ce:61:db and MAC 01:00:5e:ec:f8:cc both claim IP: 10.3.134.237", + "event": { + "ingested": "2021-06-09T10:11:36.698806500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "tmo 1478746884.fficiade uscipit events aid=vitaedi arp_resp=fugitse arp_src=veniamq auth_neg_dur=one auth_neg_failed=etMalor channel=ipi dns_req_rtt=reseos dns_resp=pariatu dns_server=tin duration=48.123000 full_conn=oquisqu identity=sperna ip_resp=eabilloi ip_src=10.182.178.217 is_8021x=tlab is_wpa=volupt last_auth_ago=osqui radio=xerc reason=iutali rssi=fdeFi type=texp vap=tasuntex client_mac=01:00:5e:e3:b1:24 client_ip=10.194.114.58 instigator=ectio http_resp=dutper dhcp_lease_completed=lamcolab dhcp_ip=ati dhcp_server=tlabo dhcp_server_mac=uames dhcp_resp=iduntu url=https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate category0=ncidid server=10.63.194.87 vpn_type=quisno connectivity=sin", + "event": { + "ingested": "2021-06-09T10:11:36.698807500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "emvel 1479981839.tmollita fde events aid=nsecte arp_resp=inculpa arp_src=abo auth_neg_dur=veniamqu auth_neg_failed=nse channel=non dns_req_rtt=paquioff dns_resp=mquisnos dns_server=maven duration=71.798000 full_conn=atcu identity=labor ip_resp=didunt ip_src=10.153.0.77 is_8021x=udan is_wpa=orema last_auth_ago=invento radio=qua reason=aturQui rssi=utlabor type=rau vap=idex client_mac=01:00:5e:9e:7b:a4 client_ip=10.105.88.20 instigator=ecte http_resp=tinvolu dhcp_lease_completed=iurer dhcp_ip=iciadese dhcp_server=quidolor dhcp_server_mac=tessec dhcp_resp=olupta url=https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt category0=siste server=10.163.154.210 vpn_type=ept connectivity=iumtotam", + "event": { + "ingested": "2021-06-09T10:11:36.698809300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ionevo 1481216793.ugiatnu ciati_appliance events MAC 01:00:5e:b8:7a:96 and MAC 01:00:5e:b9:6b:a8 both claim IP: 10.73.69.176", + "event": { + "ingested": "2021-06-09T10:11:36.698847100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "spi 1482451747.stquido ommodico_ flows ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp ", + "event": { + "ingested": "2021-06-09T10:11:36.698848400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "smo etcons.iusmodi uamest_ security_event uiac security_event epte signature=idolo priority=quinesc timestamp=1483686701.madmi shost=01:00:5e:1c:4c:64 direction=internal protocol=icmp src=10.31.77.157 dst=10.12.182.70 message:tev", + "event": { + "ingested": "2021-06-09T10:11:36.698849600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "nisiuta 1484921656.roid inibusB flows cancel", + "event": { + "ingested": "2021-06-09T10:11:36.698850600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "str 1486156610.idolore pid_ flows cteturad flows deny src=10.93.68.231 dst=10.135.217.12 mac=01:00:5e:4a:69:5b protocol=ipv6 type=archite ", + "event": { + "ingested": "2021-06-09T10:11:36.698851500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "amnih 1487391564.ium esciuntN_ events dhcp release for mac 01:00:5e:8b:99:98", + "event": { + "ingested": "2021-06-09T10:11:36.698852500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "isnost 1488626519.queips ncidi_ flows iscinge flows src=10.247.30.212 dst=10.66.89.5 mac=01:00:5e:7f:65:da protocol=igmp pattern: 1 borios", + "event": { + "ingested": "2021-06-09T10:11:36.698853500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "oin 1489861473.mvenia madminim events IDS: fugitsed", + "event": { + "ingested": "2021-06-09T10:11:36.698854500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "dmin fugi.quia iduntu security_event idestlab signature=rnatur priority=ofdeFin timestamp=1491096427.essequam dhost=01:00:5e:c1:53:b1 direction=inbound protocol=tcp src=10.221.102.245 dst=10.173.136.186 message:naal", + "event": { + "ingested": "2021-06-09T10:11:36.698855500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "umqu tinv.adipisc uscipitl_ ids-alerts ritatise ids-alerts signature=uamei priority=siut timestamp=1492331381.ciad dhost=01:00:5e:1f:c6:29 direction=external protocol=udp src=10.58.64.108 dst=10.54.37.86 message: entorev", + "event": { + "ingested": "2021-06-09T10:11:36.698856500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "velitess 1493566336.naali uunturm_ flows veli flows block src=10.147.76.202 dst=10.163.93.20 mac=01:00:5e:1d:85:ec protocol=ipv6 sport=1085 dport=3141 ", + "event": { + "ingested": "2021-06-09T10:11:36.698857400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "iumdol tpersp.stla uptatema_ security_event uradi security_event tot signature=llamco priority=nea timestamp=1494801290.psum dhost=01:00:5e:35:71:1e direction=internal protocol=icmp src=10.0.200.27:5905 dst=10.183.44.198:1702 message:asiarc", + "event": { + "ingested": "2021-06-09T10:11:36.698858400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "tiaec 1496036244.rumwrit icabo_ events dhcp lease of ip 10.148.124.84 from server mac 01:00:5e:0b:2c:22 for client mac 01:00:5e:06:12:98 from router 10.28.144.180 on subnet ritin with dns temporin", + "event": { + "ingested": "2021-06-09T10:11:36.698859500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ica 1497271198.lillum remips_appliance events aid=uisaute arp_resp=imide arp_src=poriss auth_neg_dur=tvolup auth_neg_failed=itesseq channel=dictasun dns_req_rtt=veniamqu dns_resp=rum dns_server=quaea duration=165.611000 full_conn=mvel identity=nof ip_resp=usmodi ip_src=10.204.230.166 is_8021x=dat is_wpa=aincidu last_auth_ago=nimadmin radio=isiu reason=licabo rssi=enimadmi type=utaliqu vap=dic client_mac=01:00:5e:bb:60:a6 client_ip=10.62.71.118 instigator=ineavol http_resp=iosa dhcp_lease_completed=boNemoe dhcp_ip=onsequ dhcp_server=equinesc dhcp_server_mac=cab dhcp_resp=atisund url=https://example.net/ites/isetq.gif?nisiut=tur#avolupt category0=ariatur server=10.98.194.212 vpn_type=nimave connectivity=isciv", + "event": { + "ingested": "2021-06-09T10:11:36.698860400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "dipisci 1498506153.spernatu admi events content_filtering_block url='https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori' category0='borisnis' server='10.197.13.39:5912'", + "event": { + "ingested": "2021-06-09T10:11:36.698861400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "itsedd 1499741107.leumiur eratvol events dhcp release for mac 01:00:5e:fd:84:bb", + "event": { + "ingested": "2021-06-09T10:11:36.698862400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "leumiu tla.item nimid ids-alerts signature=dat priority=periam timestamp=1500976061.dquprotocol=icmp src=10.242.77.170 dst=10.150.245.88message: orisn", + "event": { + "ingested": "2021-06-09T10:11:36.698863400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "sitam rad.loi isc_ ids-alerts volupt ids-alerts signature=rem priority=idid timestamp=1502211015.tesse shost=01:00:5e:9d:eb:fb direction=external protocol=tcp src=10.247.139.239 dst=10.180.195.43 message: tenatuse", + "event": { + "ingested": "2021-06-09T10:11:36.698864500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "tore 1503445970.elits consequa events dhcp release for mac 01:00:5e:50:48:c4", + "event": { + "ingested": "2021-06-09T10:11:36.698865400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "undeom uamnihi.risnis uov_ ids-alerts isn ids-alerts signature=sBono priority=loremqu timestamp=1504680924.teturprotocol=rdp src=10.94.6.140 dst=10.147.15.213message: uptat", + "event": { + "ingested": "2021-06-09T10:11:36.698866400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "itasper 1505915878.uae mve_ flows obeata flows block src=10.230.6.127 dst=10.111.157.56 mac=01:00:5e:39:a7:fc protocol=icmp type=aliquamq ", + "event": { + "ingested": "2021-06-09T10:11:36.698867900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "archite 1507150832.remq veniamq events aid=occ arp_resp=oloreseo arp_src=iruredol auth_neg_dur=veniamqu auth_neg_failed=licaboN channel=atquo dns_req_rtt=cupi dns_resp=strude dns_server=eritin duration=85.513000 full_conn=litsedq identity=nderiti ip_resp=ntNe ip_src=10.179.40.170 is_8021x=olorema is_wpa=mollita last_auth_ago=tatem radio=iae reason=quido rssi=emip type=inBC vap=mol client_mac=01:00:5e:58:2d:1c client_ip=10.153.81.206 instigator=rsita http_resp=nsequun dhcp_lease_completed=eetd dhcp_ip=illu dhcp_server=iatqu dhcp_server_mac=lorsi dhcp_resp=repreh url=https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi category0=uamei server=10.193.219.34 vpn_type=onse connectivity=olorem", + "event": { + "ingested": "2021-06-09T10:11:36.698868900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "umwritte 1508385787.vol oremquel_appliance events MAC 01:00:5e:16:5e:b1 and MAC 01:00:5e:ee:e8:77 both claim IP: 10.255.199.16", + "event": { + "ingested": "2021-06-09T10:11:36.698869900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "unte 1509620741.uamnihil llam_appliance events MAC 01:00:5e:ee:1d:77 and MAC 01:00:5e:f1:21:bd both claim IP: 10.94.88.5", + "event": { + "ingested": "2021-06-09T10:11:36.698870900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "esci 1510855695.uov quaeab_ events IDS: moles", + "event": { + "ingested": "2021-06-09T10:11:36.698871800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "accusa 1512090649.natu liquid events IDS: enim", + "event": { + "ingested": "2021-06-09T10:11:36.698872800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "dquiaco nibus.vitaed ser security_event etconsec signature=elillum priority=upt timestamp=1513325604.rnat dhost=01:00:5e:01:60:e0 direction=internal protocol=ipv6 src=10.90.99.245 dst=10.124.63.4 message:pta", + "event": { + "ingested": "2021-06-09T10:11:36.698873800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "tetura 1514560558.imadmini moe_appliance events content_filtering_block url='https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori' category0='laudan' server='10.249.7.146:2010'", + "event": { + "ingested": "2021-06-09T10:11:36.698874800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "lapar 1515795512.ritati edquia_appliance events IDS: itesse", + "event": { + "ingested": "2021-06-09T10:11:36.698875900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "amvolu mip.tion tobeatae_ security_event Utenima security_event iqua signature=luptat priority=deriti timestamp=1517030466.sintocc dhost=01:00:5e:c9:b7:22 direction=inbound protocol=icmp src=10.196.96.162 dst=10.81.234.34 message:equuntur", + "event": { + "ingested": "2021-06-09T10:11:36.698876800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "uide 1518265421.scivel henderi_appliance events IDS: iusmodt", + "event": { + "ingested": "2021-06-09T10:11:36.698877800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "tiumd 1519500375.ntmoll mexer events dhcp lease of ip 10.40.101.224 from server mac 01:00:5e:0a:df:72 for client mac 01:00:5e:7c:01:ab with hostname remips188.api.invalid from router 10.78.199.43 on subnet ehender with dns ilmole", + "event": { + "ingested": "2021-06-09T10:11:36.698878800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "runtmo 1520735329.ore isund_appliance events MAC 01:00:5e:17:87:3e and MAC 01:00:5e:5f:c1:3e both claim IP: 10.244.29.119", + "event": { + "ingested": "2021-06-09T10:11:36.698879700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "tutlabor 1521970284.reseosq gna_ flows pteurs flows deny src=10.83.131.245 dst=10.39.172.93 mac=01:00:5e:c4:12:c7 protocol=udp type=uido ", + "event": { + "ingested": "2021-06-09T10:11:36.698880700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "osquira 1523205238.umd sciveli_ events dhcp lease of ip 10.86.188.179 from server mac 01:00:5e:48:4b:78 for client mac 01:00:5e:7e:cd:15 from router 10.201.168.116 on subnet umiure with dns laborum", + "event": { + "ingested": "2021-06-09T10:11:36.698881600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "umdolors 1524440192.lumdo acom_ security_event umexercisecurity_event duntut url=https://mail.example.com/prehend/eufug.htm?eufug=est#civelits src=10.148.211.222:2053 dst=10.122.204.151:3903 mac=01:00:5e:c3:a0:dc name=ine sha256=urerepre disposition=asnulap action=deny", + "event": { + "ingested": "2021-06-09T10:11:36.698882600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "atnul 1525675146.umfugi stquidol_ flows luptatem flows accept", + "event": { + "ingested": "2021-06-09T10:11:36.698883700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "essequam ueporro.aliqu upt ids-alerts signature=orum priority=Bonoru timestamp=1526910101.madminimprotocol=ipv6-icmp src=10.97.46.16 dst=10.120.4.9message: teni", + "event": { + "ingested": "2021-06-09T10:11:36.698884700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "lorsitam tanimid.onpr litseddo_ ids-alerts oremqu ids-alerts signature=idex priority=radip timestamp=1528145055.uptaprotocol=ipv6-icmp src=10.171.206.139 dst=10.165.173.162message: lestia", + "event": { + "ingested": "2021-06-09T10:11:36.698885600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "inibusB 1529380009.nostrud cteturad events dhcp lease of ip 10.150.163.151 from server mac 01:00:5e:72:b7:79 for client mac 01:00:5e:f2:d3:12 with hostname uames4985.mail.localdomain from router 10.144.57.239 on subnet oinBCSed with dns orem", + "event": { + "ingested": "2021-06-09T10:11:36.698886700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "eritq rehen.ipsamvol elillum_ ids-alerts tco ids-alerts signature=tvol priority=oluptate timestamp=1530614963.lit shost=01:00:5e:ac:6d:d3 direction=unknown protocol=igmp src=10.52.202.158 dst=10.54.44.231 message: Ute", + "event": { + "ingested": "2021-06-09T10:11:36.698887600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "runtm 1531849918.eturadip olorsi_ events MAC 01:00:5e:67:1d:0f and MAC 01:00:5e:f0:a9:cd both claim IP: 10.101.183.86", + "event": { + "ingested": "2021-06-09T10:11:36.698888600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "inesciu 1533084872.quid atcupid_ flows orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi", + "event": { + "ingested": "2021-06-09T10:11:36.698889600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "lamco 1534319826.cit siar events MAC 01:00:5e:80:cd:ca and MAC 01:00:5e:45:aa:51 both claim IP: 10.83.130.95", + "event": { + "ingested": "2021-06-09T10:11:36.698890500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "hite 1535554780.ianonnum nofdeFi events aid=henderit arp_resp=remq arp_src=unt auth_neg_dur=tla auth_neg_failed=arch channel=lite dns_req_rtt=ugia dns_resp=meum dns_server=borumSec duration=91.439000 full_conn=nvolupta identity=tev ip_resp=nre ip_src=10.2.110.73 is_8021x=eturadip is_wpa=ent last_auth_ago=rumSecti radio=Utenima reason=olore rssi=orumS type=olor vap=radip client_mac=01:00:5e:59:bf:36 client_ip=10.230.98.81 instigator=aaliquaU http_resp=olu dhcp_lease_completed=iameaque dhcp_ip=identsun dhcp_server=ender dhcp_server_mac=inc dhcp_resp=tect url=https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq category0=uidolo server=10.103.49.129 vpn_type=oquisq connectivity=abori", + "event": { + "ingested": "2021-06-09T10:11:36.698891500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "dunt 1536789735.ames amni events aid=tatio arp_resp=amquisno arp_src=modoc auth_neg_dur=magnam auth_neg_failed=uinesc channel=cid dns_req_rtt=emi dns_resp=Bonorum dns_server=lesti duration=59.289000 full_conn=iosamni identity=idu ip_resp=sis ip_src=10.158.61.228 is_8021x=tsedquia is_wpa=its last_auth_ago=umdolor radio=isiu reason=assi rssi=eserun type=rvelill vap=lupta client_mac=01:00:5e:e6:a6:a2 client_ip=10.186.16.20 instigator=tisu http_resp=remagnam dhcp_lease_completed=nvolupt dhcp_ip=meiusm dhcp_server=nidolo dhcp_server_mac=atquovol dhcp_resp=quunt url=https://www.example.com/seq/moll.htm?sunt=dquianon#urExc category0=tDuis server=10.132.176.96 vpn_type=aria connectivity=inim", + "event": { + "ingested": "2021-06-09T10:11:36.698892500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "oremeumf 1538024689.lesti sintocca events dhcp lease of ip 10.105.136.146 from server mac 01:00:5e:bb:aa:f6 for client mac 01:00:5e:69:92:4a with hostname lors2232.api.example from router 10.46.217.155 on subnet amnihil with dns orissus", + "event": { + "ingested": "2021-06-09T10:11:36.698893500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "nimadmin 1539259643.lumqui quiavolu flows src=10.245.199.23 dst=10.123.62.215 mac=01:00:5e:1f:7f:1d protocol=udp pattern: 0 iusmodt", + "event": { + "ingested": "2021-06-09T10:11:36.698894400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "rep 1540494597.remap deri flows cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6 ", + "event": { + "ingested": "2021-06-09T10:11:36.698895400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "idexeac 1541729552.nimadmin midest_appliance events aid=modt arp_resp=iduntutl arp_src=rsitam auth_neg_dur=xercit auth_neg_failed=ulpaquio channel=itqu dns_req_rtt=minimav dns_resp=smodtem dns_server=roquisqu duration=116.294000 full_conn=iquid identity=evo ip_resp=mcorpori ip_src=10.196.176.243 is_8021x=itesse is_wpa=expl last_auth_ago=essecill radio=totamre reason=rpo rssi=velites type=nonpro vap=nula client_mac=01:00:5e:99:a6:b4 client_ip=10.90.50.149 instigator=nemulla http_resp=asp dhcp_lease_completed=dexercit dhcp_ip=amn dhcp_server=itessequ dhcp_server_mac=porissu dhcp_resp=umd url=https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames category0=tconsec server=10.16.230.121 vpn_type=laboree connectivity=udantiu", + "event": { + "ingested": "2021-06-09T10:11:36.698896300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ttenb olor.quiav gna security_event Nem signature=tdolorem priority=eacomm timestamp=1542964506.upidata dhost=01:00:5e:6a:c8:f8 direction=unknown protocol=ipv6 src=10.246.152.72:4293 dst=10.34.62.190:1641 message:eve", + "event": { + "ingested": "2021-06-09T10:11:36.698897300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "quisn 1544199460.rem ulamcola events dhcp no offers for mac 01:00:5e:67:fc:cb", + "event": { + "ingested": "2021-06-09T10:11:36.698898300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "eruntmo 1545434414.nimve usanti_ events dhcp release for mac 01:00:5e:7d:de:f7", + "event": { + "ingested": "2021-06-09T10:11:36.698899500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "uatu 1546669369.olupta consequu_ events dhcp release for mac 01:00:5e:6b:96:f2", + "event": { + "ingested": "2021-06-09T10:11:36.698900400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "sitam inibusBo.illoin emUtenim ids-alerts signature=ende priority=dexea timestamp=1547904323.acoprotocol=ipv6 src=10.244.32.189 dst=10.121.9.5message: uptas", + "event": { + "ingested": "2021-06-09T10:11:36.698902300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "edol 1549139277.sequuntu quameius_ events content_filtering_block url='https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor' category0='auto' server='10.41.124.15:333'", + "event": { + "ingested": "2021-06-09T10:11:36.698903300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "antium 1550374232.remaper eseosq events dhcp no offers for mac 01:00:5e:c3:77:27", + "event": { + "ingested": "2021-06-09T10:11:36.698904300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "oditau 1551609186.onsec dit events MAC 01:00:5e:19:86:21 and MAC 01:00:5e:ed:ed:79 both claim IP: 10.43.235.230", + "event": { + "ingested": "2021-06-09T10:11:36.698905300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "asper dictasun.psa lorese_ ids-alerts ctobeat ids-alerts signature=onsec priority=idestl timestamp=1552844140.litani shost=01:00:5e:a0:b2:c9 direction=unknown protocol=icmp src=10.199.19.205:5823 dst=10.103.91.159:7116 message: ntut", + "event": { + "ingested": "2021-06-09T10:11:36.698906300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "estiaec 1554079094.pitlabo tas_appliance flows src=10.17.111.91 dst=10.65.0.157 mac=01:00:5e:49:c4:17 protocol=udp pattern: 1 nostrum", + "event": { + "ingested": "2021-06-09T10:11:36.698907200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ercitati 1555314049.atem serro flows cancel", + "event": { + "ingested": "2021-06-09T10:11:36.698908200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "amquaera 1556549003.rsitamet leumiur events MAC 01:00:5e:fd:79:9e and MAC 01:00:5e:4d:c0:dd both claim IP: 10.20.130.88", + "event": { + "ingested": "2021-06-09T10:11:36.698909300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "abill ametcon.ofdeFini tasnu_ ids-alerts tionev ids-alerts signature=uasiarch priority=velites timestamp=1557783957.uredolorprotocol=ipv6 src=10.177.64.152 dst=10.140.242.86message: temporin", + "event": { + "ingested": "2021-06-09T10:11:36.698910300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "lor nvolupt.dquia ora_ security_event dipi security_event ecatc signature=quovolu priority=ite timestamp=1559018911.itse shost=01:00:5e:b8:73:c8 direction=external protocol=icmp src=10.199.103.185:2449 dst=10.51.121.223:24 message:stenat", + "event": { + "ingested": "2021-06-09T10:11:36.698911200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "saq 1560253866.asiarch ssuscipi events MAC 01:00:5e:93:48:61 and MAC 01:00:5e:21:c2:55 both claim IP: 10.126.242.58", + "event": { + "ingested": "2021-06-09T10:11:36.698912200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "tlab 1561488820.vel ionevo events dhcp release for mac 01:00:5e:8a:1a:f9", + "event": { + "ingested": "2021-06-09T10:11:36.698913200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "aeab 1562723774.uradipis aerat_ flows uira flows deny src=10.121.37.244 dst=10.113.152.241 mac=01:00:5e:9c:86:62 protocol=udp type=utaliqui ", + "event": { + "ingested": "2021-06-09T10:11:36.698914100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "nesciu 1563958728.mali roinBCSe_appliance events aid=eetdolor arp_resp=tpersp arp_src=assi auth_neg_dur=rch auth_neg_failed=psa channel=nreprehe dns_req_rtt=pidatatn dns_resp=isno dns_server=luptatev duration=39.622000 full_conn=lla identity=urau ip_resp=aeca ip_src=10.247.118.132 is_8021x=atcupi is_wpa=enima last_auth_ago=uptateve radio=fugitsed reason=lumqui rssi=ectet type=ionu vap=eratv client_mac=01:00:5e:10:8b:c3 client_ip=10.153.33.99 instigator=liq http_resp=xerc dhcp_lease_completed=atisetqu dhcp_ip=squir dhcp_server=gnaaliq dhcp_server_mac=quam dhcp_resp=deriti url=https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae category0=tevel server=10.254.96.130 vpn_type=ita connectivity=iquipexe", + "event": { + "ingested": "2021-06-09T10:11:36.698915100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "tot 1565193683.reme emeumfu events aid=inBCSedu arp_resp=ita arp_src=ade auth_neg_dur=nihilmol auth_neg_failed=nder channel=ano dns_req_rtt=rumexer dns_resp=eab dns_server=iaconseq duration=18.963000 full_conn=eli identity=rissusci ip_resp=ectetur ip_src=10.101.13.122 is_8021x=oconsequ is_wpa=roqui last_auth_ago=oluptate radio=ntut reason=mremaper rssi=uteirur type=ntium vap=ide client_mac=01:00:5e:95:ae:d0 client_ip=10.78.143.52 instigator=ntiumdol http_resp=conse dhcp_lease_completed=aturve dhcp_ip=edqui dhcp_server=tvolu dhcp_server_mac=psu dhcp_resp=strud url=https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate category0=udanti server=10.200.98.243 vpn_type=cteturad connectivity=umq", + "event": { + "ingested": "2021-06-09T10:11:36.698916100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "oinvento 1566428637.mporin orissusc_appliance events content_filtering_block url='https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec' category0='lorem' server='10.247.205.185:7676' client_mac='01:00:5e:6f:21:c8'", + "event": { + "ingested": "2021-06-09T10:11:36.698917100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "metMa emoen.ptate mipsumqu_ ids-alerts ccusa ids-alerts signature=billo priority=doloremi timestamp=1567663591.ectetura dhost=01:00:5e:0a:88:bb direction=inbound protocol=ipv6 src=10.195.90.73:3914 dst=10.147.165.30:7662 message: idents", + "event": { + "ingested": "2021-06-09T10:11:36.698918100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "veniamqu 1568898545.iconsequ ueporr_appliance events IDS: empor", + "event": { + "ingested": "2021-06-09T10:11:36.698919100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "atDuisa mipsa.uas iat ids-alerts signature=hite priority=adipis timestamp=1570133500.abo dhost=01:00:5e:dd:cb:5b direction=inbound protocol=udp src=10.137.166.97 dst=10.162.202.14 message: ipsaqua", + "event": { + "ingested": "2021-06-09T10:11:36.698920Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "deom 1571368454.tiumdo rautod_appliance events content_filtering_block url='https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu' category0='adeserun' server='10.227.135.142:6598'", + "event": { + "ingested": "2021-06-09T10:11:36.698921Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "orese 1572603408.umdolore umqui_appliance events MAC 01:00:5e:f1:b8:3a and MAC 01:00:5e:37:9c:af both claim IP: 10.199.29.19", + "event": { + "ingested": "2021-06-09T10:11:36.698922Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "explicab 1573838362.samvolu teiru_appliance events dhcp no offers for mac 01:00:5e:b8:06:92", + "event": { + "ingested": "2021-06-09T10:11:36.698923Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "rissusci 1575073317.uaturQ iusmod_ events aid=mips arp_resp=iduntutl arp_src=mipsumd auth_neg_dur=eiusmo auth_neg_failed=quelauda channel=rcit dns_req_rtt=dolo dns_resp=ulamc dns_server=doe duration=10.574000 full_conn=remquela identity=toreve ip_resp=squirat ip_src=10.85.59.172 is_8021x=mto is_wpa=iae last_auth_ago=dent radio=Uten reason=tatiset rssi=sequat type=modoco vap=beataevi client_mac=01:00:5e:92:d8:95 client_ip=10.158.215.216 instigator=deritin http_resp=ptate dhcp_lease_completed=lloi dhcp_ip=nseq dhcp_server=equunt dhcp_server_mac=tutla dhcp_resp=usmod url=https://example.com/qui/itse.gif?orsitame=tasn#exeaco category0=upta server=10.75.122.111 vpn_type=reprehe connectivity=deFinib", + "event": { + "ingested": "2021-06-09T10:11:36.698924Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "orr 1576308271.pre aute events IDS: rchite", + "event": { + "ingested": "2021-06-09T10:11:36.698924900Z" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/meraki/agent/stream/stream.yml.hbs b/packages/cisco/data_stream/meraki/agent/stream/stream.yml.hbs index 1f8157fff2e..e2111807eed 100644 --- a/packages/cisco/data_stream/meraki/agent/stream/stream.yml.hbs +++ b/packages/cisco/data_stream/meraki/agent/stream/stream.yml.hbs @@ -4,12 +4,12 @@ paths: {{/each}} exclude_files: [".gz$"] tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} {{#if preserve_original_event}} - - preserve_original_event + - preserve_original_event {{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} fields_under_root: true fields: observer: @@ -21,6 +21,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: @@ -1019,7 +1022,7 @@ processors: } var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_facility": {convert: to_long, to:[{field: "syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, diff --git a/packages/cisco/data_stream/meraki/agent/stream/tcp.yml.hbs b/packages/cisco/data_stream/meraki/agent/stream/tcp.yml.hbs index 24f7bdb42a3..b453cd9c674 100644 --- a/packages/cisco/data_stream/meraki/agent/stream/tcp.yml.hbs +++ b/packages/cisco/data_stream/meraki/agent/stream/tcp.yml.hbs @@ -1,12 +1,12 @@ tcp: host: "{{tcp_host}}:{{tcp_port}}" tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} {{#if preserve_original_event}} - - preserve_original_event + - preserve_original_event {{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} fields_under_root: true fields: observer: @@ -18,6 +18,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: diff --git a/packages/cisco/data_stream/meraki/agent/stream/udp.yml.hbs b/packages/cisco/data_stream/meraki/agent/stream/udp.yml.hbs index d9a25f0753c..672c85f5bc7 100644 --- a/packages/cisco/data_stream/meraki/agent/stream/udp.yml.hbs +++ b/packages/cisco/data_stream/meraki/agent/stream/udp.yml.hbs @@ -1,12 +1,12 @@ udp: host: "{{udp_host}}:{{udp_port}}" tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} {{#if preserve_original_event}} - - preserve_original_event + - preserve_original_event {{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} fields_under_root: true fields: observer: @@ -18,6 +18,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: @@ -1016,7 +1019,7 @@ processors: } var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_facility": {convert: to_long, to:[{field: "syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, diff --git a/packages/cisco/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml index 836cdca0b8e..9667477bc46 100644 --- a/packages/cisco/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml @@ -4,69 +4,69 @@ description: Pipeline for Cisco Meraki processors: # ECS event.ingested - set: - field: event.ingested - value: '{{_ingest.timestamp}}' + field: event.ingested + value: '{{_ingest.timestamp}}' - set: - field: ecs.version - value: 1.9.0 + field: ecs.version + value: "1.10.0" # User agent - user_agent: - field: user_agent.original - ignore_missing: true + field: user_agent.original + ignore_missing: true # IP Geolocation Lookup - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true + field: source.ip + target_field: source.geo + ignore_missing: true - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true + field: destination.ip + target_field: destination.geo + ignore_missing: true # IP Autonomous System (AS) Lookup - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true + field: source.as.asn + target_field: source.as.number + ignore_missing: true - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true on_failure: - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco/data_stream/meraki/manifest.yml b/packages/cisco/data_stream/meraki/manifest.yml index 1f770c68d4e..1e6886498d3 100644 --- a/packages/cisco/data_stream/meraki/manifest.yml +++ b/packages/cisco/data_stream/meraki/manifest.yml @@ -42,14 +42,6 @@ streams: required: false show_user: true default: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - name: keep_raw_fields type: bool title: Keep raw parser fields @@ -62,6 +54,23 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: tcp title: Cisco Meraki logs description: Collect Cisco Meraki logs @@ -102,14 +111,6 @@ streams: required: false show_user: true default: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - name: keep_raw_fields type: bool title: Keep raw parser fields @@ -122,6 +123,23 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: logfile enabled: false title: Cisco Meraki logs @@ -156,14 +174,6 @@ streams: required: false show_user: true default: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - name: keep_raw_fields type: bool title: Keep raw parser fields @@ -176,3 +186,19 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco/data_stream/nexus/agent/stream/stream.yml.hbs b/packages/cisco/data_stream/nexus/agent/stream/stream.yml.hbs index fa9f7784b5c..e2ffbc33dd9 100644 --- a/packages/cisco/data_stream/nexus/agent/stream/stream.yml.hbs +++ b/packages/cisco/data_stream/nexus/agent/stream/stream.yml.hbs @@ -4,12 +4,12 @@ paths: {{/each}} exclude_files: [".gz$"] tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} {{#if preserve_original_event}} - - preserve_original_event + - preserve_original_event {{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} fields_under_root: true fields: observer: @@ -21,6 +21,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: diff --git a/packages/cisco/data_stream/nexus/agent/stream/tcp.yml.hbs b/packages/cisco/data_stream/nexus/agent/stream/tcp.yml.hbs index f8eed53e9c1..4c06bdde190 100644 --- a/packages/cisco/data_stream/nexus/agent/stream/tcp.yml.hbs +++ b/packages/cisco/data_stream/nexus/agent/stream/tcp.yml.hbs @@ -1,12 +1,12 @@ tcp: host: "{{tcp_host}}:{{tcp_port}}" tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} {{#if preserve_original_event}} - - preserve_original_event + - preserve_original_event {{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} fields_under_root: true fields: observer: @@ -18,6 +18,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: diff --git a/packages/cisco/data_stream/nexus/agent/stream/udp.yml.hbs b/packages/cisco/data_stream/nexus/agent/stream/udp.yml.hbs index eaff38462c7..cf2777b100d 100644 --- a/packages/cisco/data_stream/nexus/agent/stream/udp.yml.hbs +++ b/packages/cisco/data_stream/nexus/agent/stream/udp.yml.hbs @@ -1,12 +1,12 @@ udp: host: "{{udp_host}}:{{udp_port}}" tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} {{#if preserve_original_event}} - - preserve_original_event + - preserve_original_event {{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} fields_under_root: true fields: observer: @@ -18,6 +18,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: diff --git a/packages/cisco/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml index c1e3434d74d..466453c3ab3 100644 --- a/packages/cisco/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml @@ -4,69 +4,69 @@ description: Pipeline for Cisco Nexus processors: # ECS event.ingested - set: - field: event.ingested - value: '{{_ingest.timestamp}}' + field: event.ingested + value: '{{_ingest.timestamp}}' - set: - field: ecs.version - value: 1.9.0 + field: ecs.version + value: "1.10.0" # User agent - user_agent: - field: user_agent.original - ignore_missing: true + field: user_agent.original + ignore_missing: true # IP Geolocation Lookup - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true + field: source.ip + target_field: source.geo + ignore_missing: true - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true + field: destination.ip + target_field: destination.geo + ignore_missing: true # IP Autonomous System (AS) Lookup - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true + field: source.as.asn + target_field: source.as.number + ignore_missing: true - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true on_failure: - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco/data_stream/nexus/manifest.yml b/packages/cisco/data_stream/nexus/manifest.yml index f7042f2661a..a608512a5c5 100644 --- a/packages/cisco/data_stream/nexus/manifest.yml +++ b/packages/cisco/data_stream/nexus/manifest.yml @@ -42,14 +42,6 @@ streams: required: false show_user: true default: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - name: keep_raw_fields type: bool title: Keep raw parser fields @@ -62,6 +54,23 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: tcp title: Cisco Nexus logs description: Collect Cisco Nexus logs @@ -102,14 +111,6 @@ streams: required: false show_user: true default: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - name: keep_raw_fields type: bool title: Keep raw parser fields @@ -122,6 +123,23 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: logfile enabled: false title: Cisco Nexus logs @@ -156,14 +174,6 @@ streams: required: false show_user: true default: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - name: keep_raw_fields type: bool title: Keep raw parser fields @@ -176,3 +186,20 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/cisco/docs/README.md b/packages/cisco/docs/README.md index c827f0961cf..325e1cee2d1 100644 --- a/packages/cisco/docs/README.md +++ b/packages/cisco/docs/README.md @@ -178,12 +178,15 @@ An example event for `asa` looks as following: | cisco.asa.privilege.new | When a users privilege is changed this is the new value | keyword | | cisco.asa.privilege.old | When a users privilege is changed this is the old value | keyword | | cisco.asa.rule_name | Name of the Access Control List rule that matched this event. | keyword | +| cisco.asa.security | Cisco FTD security event fields. | flattened | | cisco.asa.source_interface | Source interface for the flow or event. | keyword | | cisco.asa.source_username | Name of the user that is the source for this event. | keyword | | cisco.asa.suffix | Optional suffix after %ASA identifier. | keyword | +| cisco.asa.termination_user | AAA name of user requesting termination | keyword | | cisco.asa.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | | cisco.asa.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | | cisco.asa.username | | keyword | +| cisco.asa.webvpn.group_name | The WebVPN group name the user belongs to | keyword | | client.user.name | Short name or login of the user. | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | @@ -255,15 +258,17 @@ An example event for `asa` looks as following: | log.level | Log level of the log event. | keyword | | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | Syslog numeric facility of the event. | long | -| log.syslog.priority | Syslog priority of the event. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. | text | | nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | | network.bytes | Total bytes transferred in both directions. | long | | network.direction | Direction of the network traffic. | keyword | | network.iana_number | IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.protocol | L7 Network protocol name. | keyword | | network.transport | Protocol Name corresponding to the field `iana_number`. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | keyword | | observer.egress.interface.name | Interface name | keyword | | observer.egress.zone | Observer Egress zone | keyword | | observer.hostname | Hostname of the observer. | keyword | @@ -298,8 +303,23 @@ An example event for `asa` looks as following: | source.nat.port | Source NAT port | long | | source.port | Port of the source. | long | | source.user.name | Short name or login of the user. | keyword | +| syslog.facility.code | Syslog numeric facility of the event. | long | +| syslog.priority | Syslog priority of the event. | long | | tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | keyword | | url.original | Unmodified original url as seen in the event source. | keyword | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | keyword | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. | keyword | +| url.scheme | Scheme of the request, such as "https". | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". | keyword | +| url.username | Username of the request. | keyword | | user.email | User email address. | keyword | | user.name | Short name or login of the user. | keyword | @@ -524,9 +544,11 @@ An example event for `ftd` looks as following: | cisco.ftd.source_interface | Source interface for the flow or event. | keyword | | cisco.ftd.source_username | Name of the user that is the source for this event. | keyword | | cisco.ftd.suffix | Optional suffix after %FTD identifier. | keyword | +| cisco.ftd.termination_user | AAA name of user requesting termination | keyword | | cisco.ftd.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | | cisco.ftd.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | | cisco.ftd.username | | keyword | +| cisco.ftd.webvpn.group_name | The WebVPN group name the user belongs to | keyword | | client.user.name | Short name or login of the user. | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | @@ -569,7 +591,7 @@ An example event for `ftd` looks as following: | error.message | Error message. | text | | event.category | Event category (e.g. database) | keyword | | event.code | Identification code for this event | keyword | -| event.created | The date/time when the event was first read by an agent, or by your pipeline. | date | +| event.created | Date/time when the event was first read by an agent, or by your pipeline. | date | | event.duration | Duration of the event in nanoseconds. | long | | event.end | The date when the event ended or when the activity was last observed. | keyword | | event.ingested | The timestamp when an event arrived in the central data store | date | @@ -607,16 +629,18 @@ An example event for `ftd` looks as following: | log.level | Log level of the log event. | keyword | | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | Syslog numeric facility of the event. | long | -| log.syslog.priority | Syslog priority of the event. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. | text | | nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | | network.application | Application level protocol name. | keyword | | network.bytes | Total bytes transferred in both directions. | long | | network.direction | Direction of the network traffic. | keyword | | network.iana_number | IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.protocol | L7 Network protocol name. | keyword | | network.transport | Protocol Name corresponding to the field `iana_number`. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | keyword | | observer.egress.interface.name | Interface name | keyword | | observer.egress.zone | Observer Egress zone | keyword | | observer.hostname | Hostname of the observer. | keyword | @@ -654,9 +678,23 @@ An example event for `ftd` looks as following: | source.packets | Packets sent from the source to the destination. | long | | source.port | Port of the source. | long | | source.user.name | Short name or login of the user. | keyword | +| syslog.facility.code | Syslog numeric facility of the event. | long | +| syslog.priority | Syslog priority of the event. | long | | tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | keyword | | url.original | Unmodified original url as seen in the event source. | keyword | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | keyword | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. | keyword | +| url.scheme | Scheme of the request, such as "https". | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". | keyword | +| url.username | Username of the request. | keyword | | user.email | User email address. | keyword | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | diff --git a/packages/cisco/manifest.yml b/packages/cisco/manifest.yml index 87d2a3f415a..66ba189be54 100644 --- a/packages/cisco/manifest.yml +++ b/packages/cisco/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco title: Cisco -version: 0.9.2 +version: 0.9.3 license: basic description: Cisco Integration type: integration