x-pack/filebeat/module/cisco: remove invalid values from ECS fields (#…

…31628) This prevents "monitored" from being written into event.outcome which does not allow this value according to ECS. (cherry picked from commit 5a4bfca)
elastic · May 16, 2022 · aecf59b · aecf59b
1 parent 009376f
commit aecf59b
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -53,6 +53,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...main[Check the HEAD dif
 - aws-s3 input: Stop SQS keep-alive routine on InvalidParameterValue error. {issue}30675[30675] {pull}31499[31499]
 - Supporting the double digit date parsing in ingest pipeline for oracle logs. {pull}31514[31514]
 - Fix handling of code_sign data in ThreatIntel Malwarebazaar. {issue}29972[29972] {pull}31552[31552]
+- Remove invalid term from event.outcome in the cisco asa and ftd modules. {pull}31628[31628]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json
@@ -3440,14 +3440,15 @@
         "destination.port": 80,
         "event.action": "firewall-rule",
         "event.category": [
+            "intrusion_detection",
             "network"
         ],
         "event.code": 338004,
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
         "event.original": "%ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware",
-        "event.outcome": "monitored",
+        "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [

diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json
@@ -3427,14 +3427,15 @@
         "destination.port": 80,
         "event.action": "firewall-rule",
         "event.category": [
+            "intrusion_detection",
             "network"
         ],
         "event.code": 338004,
         "event.dataset": "cisco.ftd",
         "event.kind": "event",
         "event.module": "cisco",
         "event.original": "%FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.225/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware",
-        "event.outcome": "monitored",
+        "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [

diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
@@ -1871,6 +1871,10 @@ processors:
         } else if (ctx?.event?.action.startsWith('connection-')) {
           ctx.event.type.add('connection');
         }
+        if (ctx.event.outcome == 'monitored') {
+          ctx.event.category.add('intrusion_detection');
+          ctx.event.outcome = 'success';
+        }
 
   - set:
       description: copy destination.user.name to user.name if it is not set