Merge branch 'main' into lv/sekoia_agent_fix_dns_fields

SEKOIA-IO · Dec 17, 2024 · dc5771b · dc5771b
2 parents ba36359 + 9e170ae
commit dc5771b
Show file tree

Hide file tree

Showing 9 changed files with 195 additions and 15 deletions.
diff --git a/Cisco/cisco-secure-firewall/ingest/parser.yml b/Cisco/cisco-secure-firewall/ingest/parser.yml
@@ -55,12 +55,15 @@ pipeline:
           "106021": "%{CISCO_106021}"
           "106023": "%{CISCO_106023}"
           "106100": "%{CISCO_106100}"
+          "109201": "%{CISCO_109201}"
           "110002": "%{CISCO_110002}"
           "110003": "%{CISCO_110003}"
           "111007": "%{CISCO_111007}"
           "111008": "%{CISCO_111008}"
-          "113012": "%{CISCO_113012}"
           "113004": "%{CISCO_113004}"
+          "113012": "%{CISCO_113012}"
+          "113019": "%{CISCO_113019}"
+          "113039": "%{CISCO_113039}"
           "199019": "%{CISCO_199019}"
           "302013": "%{CISCO_302013_302014_302015_302016}"
           "302014": "%{CISCO_302013_302014_302015_302016}"
@@ -120,12 +123,15 @@ pipeline:
           CISCO_106021: "%{CISCO_ACTION:action_name} %{DATA:network_transport} reverse path check from %{IP:source_ip} to %{IP:destination_ip} on interface %{GREEDYDATA:destination_address}"
           CISCO_106023: '%{CISCO_ACTION:action_name}( protocol)? %{DATA:network_transport} src %{DATA:source_address}:%{DATA:source_ip}(/%{INT:source_port})?(\(%{DATA}\))? dst %{DATA:destination_address}:%{DATA:destination_ip}(/%{INT:destination_port})?(\(%{DATA}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group "?%{DATA:action_outcome_reason}"? \[%{DATA}, %{DATA}\]'
           CISCO_106100: 'access-list %{NOTSPACE:action_outcome_reason} %{CISCO_ACTION:action_name} %{DATA:network_transport} %{DATA:source_address}/%{IP:source_ip}\(%{INT:source_port}\)(\(%{DATA}\))? -> %{DATA:destination_address}/%{IP:destination_ip}\(%{INT:destination_port}\)(\(%{DATA}\))? hit-cnt %{INT:network_packets} %{CISCO_INTERVAL:network_duration} \[%{DATA}, %{DATA}\]'
+          CISCO_109201: "UAUTH: Session=%{DATA}, User=%{DATA:user_name}, Assigned IP=%{IP:source_ip}, (?P<action_outcome_reason>Succeeded adding entry.)"
           CISCO_110002: "%{CISCO_REASON:action_name} for %{DATA:network_transport} from %{DATA:source_address}:%{IP:source_ip}/%{INT:source_port} to %{IP:destination_ip}/%{INT:destination_port}"
           CISCO_110003: '%{GREEDYDATA:action_name} from %{WORD}\:%{IP:source_ip}\/([1-2]?[0-9]|3[0-2]) to %{WORD}\:%{IP:destination_ip}\/([1-2]?[0-9]|3[0-2])(, %{GREEDYDATA:action_outcome_reason})?'
           CISCO_111007: '%{GREEDYDATA:action_name}: %{IP:source_ip} reading from %{NOTSPACE:network_transport} \[%{DATA:http_method}\]'
           CISCO_111008: "User '%{DATA:user_name}' executed the '%{GREEDYDATA:action_name}' command"
-          CISCO_113004: "%{GREEDYDATA} user authentication %{WORD} : server = (\\s*)?%{IP:destination_ip} : user = %{DATA:user_name}"
+          CISCO_113004: "%{GREEDYDATA} user (authentication|authorization) %{WORD} : server = (\\s*)?%{IP:destination_ip} : user = %{DATA:user_name}"
           CISCO_113012: "%{GREEDYDATA} user authentication %{WORD} : local database : user = %{DATA:user_name}"
+          CISCO_113019: "Group = %{GREEDYDATA:user_group}, Username = %{WORD:user_name}, IP = %{IP:source_ip}, %{DATA:action_outcome_reason}.Session Type: %{DATA:session_type}, Duration: %{DATA:special_duration}, Bytes xmt: %{DATA:bytes_xmt}, Bytes rcv: %{DATA:bytes_rcv}, Reason: %{GREEDYDATA:action_outcome_reason}"
+          CISCO_113039: "Group <%{GREEDYDATA:user_group}> User <%{WORD:user_name}> IP <%{IP:source_ip}> (?P<action_outcome_reason>AnyConnect parent session started.)"
           CISCO_199019: '%{GREEDYDATA} %{DURATION} %{WORD:process_name}\[%{GREEDYDATA:process_id}\]: %{WORD:log_host} %{GREEDYDATA:result}'
           CISCO_302013_302014_302015_302016: '%{CISCO_ACTION:action_name}(?: %{CISCO_DIRECTION:network_direction})? %{DATA:network_transport} connection %{INT} for %{DATA:source_address}:%{IP:source_ip}/%{INT:source_port}( \(%{IP:source_nat_ip}/%{INT:source_nat_port}\))?(\(%{DATA}\))? to %{DATA:destination_address}:%{IP:destination_ip}/%{INT:destination_port}( \(%{IP:destination_nat_ip}/%{INT:destination_nat_port}\))?(\(%{DATA}\))?( duration %{DATA:network_duration} bytes %{INT:network_bytes})?%{DATA}( \(%{DATA:user_name}\))?'
           CISCO_302020_302021: '%{CISCO_ACTION:action_name}(?: %{CISCO_DIRECTION:network_direction})? %{DATA:network_transport} connection for faddr %{IP:source_ip}/%{INT:source_port}(\(%{DATA:user_group}\\%{DATA}\))? gaddr %{IP}/%{INT} laddr %{IP:destination_ip}/%{INT:destination_port}( \(%{DATA:user_name}\))?( type %{INT:icmp_type} code %{INT:icmp_code})?%{DATA}'
@@ -176,7 +182,7 @@ pipeline:
 
   - name: set_common_fields
   - name: set_ecs_fields
-    filter: '{{pre_parsing.pre_message.message_number_grok in ["106001","110003", "106006", "106007", "106010", "106012", "106014", "106015", "106021", "106023", "106100", "110002", "111007", "111008", "113004", "113012", "199019", "302013", "302014", "302015", "302016", "302020", "302021", "304001", "305011", "313001", "313004", "313005", "313008", "305012", "402117", "402119", "419001", "419002", "500004", "602303", "602304", "609001", "609002", "611101", "611103", "710001", "710002", "710003", "710005", "710006", "716058", "713172", "716059", "722011", "722012", "722022", "722023", "722028", "722032", "722033", "722034", "722037", "725001", "733100", "725002", "725003", "725006", "725007", "737016", "852001"]}}'
+    filter: '{{pre_parsing.pre_message.message_number_grok in ["106001","110003", "106006", "106007", "106010", "106012", "106014", "106015", "106021", "106023", "106100", "109201", "110002", "111007", "111008", "113004", "113012", "113019", "113039", "199019", "302013", "302014", "302015", "302016", "302020", "302021", "304001", "305011", "313001", "313004", "313005", "313008", "305012", "402117", "402119", "419001", "419002", "500004", "602303", "602304", "609001", "609002", "611101", "611103", "710001", "710002", "710003", "710005", "710006", "716058", "713172", "716059", "722011", "722012", "722022", "722023", "722028", "722032", "722033", "722034", "722037", "725001", "733100", "725002", "725003", "725006", "725007", "737016", "852001"]}}'
   - name: set_ecs_fields_from_kv
     filter: '{{pre_parsing.pre_message.message_number_grok in ["430001","430002","430003","430004","430005"]}}'
   - name: set_ecs_fields_from_condition
@@ -408,6 +414,18 @@ stages:
           event.type: ["end"]
           event.outcome: "success"
         filter: '{{pre_parsing.pre_message.message_number_grok in ["611103"]}}'
+      - set:
+          event.category: ["session"]
+          event.type: ["end"]
+        filter: '{{pre_parsing.pre_message.message_number_grok in ["113019"]}}'
+      - set:
+          event.category: ["session"]
+          event.type: ["start"]
+        filter: '{{pre_parsing.pre_message.message_number_grok in ["113039"]}}'
+      - set:
+          event.category: ["iam"]
+          event.type: ["user"]
+        filter: '{{pre_parsing.pre_message.message_number_grok in ["109201"]}}'
       - set:
           network.transport: "{{parsed_event.message.network_transport|lower }}"
         filter: '{{parsed_event.message.get("network_transport") != None}}'

diff --git a/Cisco/cisco-secure-firewall/tests/test_FTD_109201.json b/Cisco/cisco-secure-firewall/tests/test_FTD_109201.json
@@ -0,0 +1,40 @@
+{
+  "input": {
+    "message": "%FTD-5-109201: UAUTH: Session=0x00fee000, User=User_Acme, Assigned IP=1.2.3.4, Succeeded adding entry."
+  },
+  "expected": {
+    "message": "%FTD-5-109201: UAUTH: Session=0x00fee000, User=User_Acme, Assigned IP=1.2.3.4, Succeeded adding entry.",
+    "event": {
+      "category": [
+        "iam"
+      ],
+      "code": "109201",
+      "reason": "Succeeded adding entry.",
+      "type": [
+        "user"
+      ]
+    },
+    "action": {
+      "target": "network-traffic"
+    },
+    "observer": {
+      "product": "Firepower Threat Defense",
+      "vendor": "Cisco"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "User_Acme"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "name": "User_Acme"
+    }
+  }
+}
diff --git a/Cisco/cisco-secure-firewall/tests/test_FTD_113004_2.json b/Cisco/cisco-secure-firewall/tests/test_FTD_113004_2.json
@@ -0,0 +1,40 @@
+{
+  "input": {
+    "message": "%FTD-6-113004: AAA user authorization Successful : server = 1.2.3.4 : user = User_Acme"
+  },
+  "expected": {
+    "message": "%FTD-6-113004: AAA user authorization Successful : server = 1.2.3.4 : user = User_Acme",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "code": "113004",
+      "outcome": "success",
+      "type": [
+        "start"
+      ]
+    },
+    "action": {
+      "target": "network-traffic"
+    },
+    "destination": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "observer": {
+      "product": "Firepower Threat Defense",
+      "vendor": "Cisco"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "User_Acme"
+      ]
+    },
+    "user": {
+      "name": "User_Acme"
+    }
+  }
+}
diff --git a/Cisco/cisco-secure-firewall/tests/test_FTD_113019.json b/Cisco/cisco-secure-firewall/tests/test_FTD_113019.json
@@ -0,0 +1,41 @@
+{
+  "input": {
+    "message": "%FTD-4-113019: Group = MyGroup, Username = User_Acme, IP = 1.2.3.4, Session disconnected. Session Type: IKEv2, Duration: 2h:28m:09s, Bytes xmt: 54735230, Bytes rcv: 27473152, Reason: Idle Timeout"
+  },
+  "expected": {
+    "message": "%FTD-4-113019: Group = MyGroup, Username = User_Acme, IP = 1.2.3.4, Session disconnected. Session Type: IKEv2, Duration: 2h:28m:09s, Bytes xmt: 54735230, Bytes rcv: 27473152, Reason: Idle Timeout",
+    "event": {
+      "category": [
+        "session"
+      ],
+      "code": "113019",
+      "reason": "Idle Timeout",
+      "type": [
+        "end"
+      ]
+    },
+    "action": {
+      "target": "network-traffic"
+    },
+    "observer": {
+      "product": "Firepower Threat Defense",
+      "vendor": "Cisco"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "User_Acme"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "domain": "MyGroup",
+      "name": "User_Acme"
+    }
+  }
+}
diff --git a/Cisco/cisco-secure-firewall/tests/test_FTD_113039.json b/Cisco/cisco-secure-firewall/tests/test_FTD_113039.json
@@ -0,0 +1,41 @@
+{
+  "input": {
+    "message": "%FTD-6-113039: Group <CLIENT_VPN> User <User_Acme> IP <192.168.91.121> AnyConnect parent session started."
+  },
+  "expected": {
+    "message": "%FTD-6-113039: Group <CLIENT_VPN> User <User_Acme> IP <192.168.91.121> AnyConnect parent session started.",
+    "event": {
+      "category": [
+        "session"
+      ],
+      "code": "113039",
+      "reason": "AnyConnect parent session started.",
+      "type": [
+        "start"
+      ]
+    },
+    "action": {
+      "target": "network-traffic"
+    },
+    "observer": {
+      "product": "Firepower Threat Defense",
+      "vendor": "Cisco"
+    },
+    "related": {
+      "ip": [
+        "192.168.91.121"
+      ],
+      "user": [
+        "User_Acme"
+      ]
+    },
+    "source": {
+      "address": "192.168.91.121",
+      "ip": "192.168.91.121"
+    },
+    "user": {
+      "domain": "CLIENT_VPN",
+      "name": "User_Acme"
+    }
+  }
+}