diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml index fe4a8cee1f5..cf25519fd1d 100644 --- a/packages/cisco_ftd/changelog.yml +++ b/packages/cisco_ftd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.10.3" + changes: + - description: Add support for Security Group Tag (SGT) and Endpoint Group (EPG) fields in connection events. + type: enhancement + link: https://github.com/elastic/integrations/pull/15652 - version: "3.10.2" changes: - description: Fix parsing for message ID 313005 to accept input type unknown. diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-config.yml b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-config.yml index 33645a7c60e..e217983af2f 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-config.yml +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-config.yml @@ -7,4 +7,4 @@ fields: external_zones: - output-zone internal_zones: - - input-zone \ No newline at end of file + - input-zone diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sgt.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sgt.log new file mode 100644 index 00000000000..413463aeb8b --- /dev/null +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sgt.log @@ -0,0 +1,3 @@ +2025-09-01T12:00:00Z firepower : %FTD-6-430003: EventPriority: Low, DeviceUUID: d697c8ca-9fe4-43e6-aeb5-33e277e5ffea, InstanceID: 11, FirstPacketSecond: 2025-09-01T12:35:00Z, ConnectionID: 39416, AccessControlRuleAction: Trust, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 56799, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, SourceSecurityGroup: SGT_TEST_GROUP, SourceSecurityGroupTag: 2003, SourceSecurityGroupType: Session Directory, DestinationIP_DynamicAttribute: APIC_EPG_TEST_GROUP, IngressVRF: Global, EgressVRF: Global, Endpoint Profile: Workstation:Microsoft-Workstation:Windows11-Workstation, ACPolicy: ACP-Access, AccessControlRuleName: Test-Rule-1, Prefilter Policy: Default Prefilter Policy, User: testuser, Client: DNS, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 31, ResponderBytes: 238, NAPPolicy: Balanced Security and Connectivity +2025-09-01T14:00:00Z firepower : %FTD-6-430002: EventPriority: Low, DeviceUUID: d697c8ca-9fe4-43e6-aeb5-33e277e5ffea, InstanceID: 4, FirstPacketSecond: 2025-09-01T14:00:03Z, ConnectionID: 36584, AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 56799, DstPort: 22, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, SourceSecurityGroup: 2005, SourceSecurityGroupTag: 2005, DestinationSecurityGroup: 9, DestinationSecurityGroupTag: 9, SourceSecurityGroupType: Session Directory, DestinationSecurityGroupType: SXP, IngressVRF: Global, EgressVRF: Global, Endpoint Profile: Invalid ID, ACPolicy: ACP-Management, AccessControlRuleName: Default Deny, Prefilter Policy: Management Prefilter Policy, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 70, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity + diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sgt.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sgt.log-expected.json new file mode 100644 index 00000000000..2e8297ff95d --- /dev/null +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sgt.log-expected.json @@ -0,0 +1,283 @@ +{ + "expected": [ + { + "@timestamp": "2025-09-01T12:35:00.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": [ + "ACP-Access", + "Test-Rule-1" + ], + "security": { + "endpoint_profile": "Workstation:Microsoft-Workstation:Windows11-Workstation" + }, + "security_event": { + "ac_policy": "ACP-Access", + "access_control_rule_action": "Trust", + "access_control_rule_name": "Test-Rule-1", + "application_protocol": "DNS", + "client": "DNS", + "connection_duration": 0, + "destination_ip_dynamic_attribute": "APIC_EPG_TEST_GROUP", + "dst_ip": "10.0.1.20", + "dst_port": 53, + "egress_interface": "outside", + "first_packet_second": "2025-09-01T12:35:00Z", + "ingress_interface": "inside", + "initiator_bytes": 31, + "initiator_packets": 1, + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "udp", + "responder_bytes": 238, + "responder_packets": 1, + "source_security_group": "SGT_TEST_GROUP", + "source_security_group_tag": "2003", + "source_security_group_type": "Session Directory", + "src_ip": "10.0.100.30", + "src_port": 56799, + "user": "testuser" + }, + "source_interface": "inside" + } + }, + "destination": { + "address": "10.0.1.20", + "bytes": 238, + "ip": "10.0.1.20", + "packets": 1, + "port": 53 + }, + "device": { + "manufacturer": "Microsoft", + "model": { + "name": "Windows11" + } + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "duration": 0, + "end": "2025-09-01T12:35:00.000Z", + "kind": "event", + "original": "2025-09-01T12:00:00Z firepower : %FTD-6-430003: EventPriority: Low, DeviceUUID: d697c8ca-9fe4-43e6-aeb5-33e277e5ffea, InstanceID: 11, FirstPacketSecond: 2025-09-01T12:35:00Z, ConnectionID: 39416, AccessControlRuleAction: Trust, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 56799, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, SourceSecurityGroup: SGT_TEST_GROUP, SourceSecurityGroupTag: 2003, SourceSecurityGroupType: Session Directory, DestinationIP_DynamicAttribute: APIC_EPG_TEST_GROUP, IngressVRF: Global, EgressVRF: Global, Endpoint Profile: Workstation:Microsoft-Workstation:Windows11-Workstation, ACPolicy: ACP-Access, AccessControlRuleName: Test-Rule-1, Prefilter Policy: Default Prefilter Policy, User: testuser, Client: DNS, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 31, ResponderBytes: 238, NAPPolicy: Balanced Security and Connectivity", + "outcome": "success", + "severity": 6, + "start": "2025-09-01T12:35:00.000Z", + "timezone": "UTC", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "host": { + "hostname": "firepower", + "type": "Microsoft" + }, + "log": { + "level": "informational" + }, + "network": { + "application": "dns", + "bytes": 269, + "community_id": "1:xlmEboTK1cVSycaPD+f1Ii6nxMg=", + "iana_number": "17", + "protocol": "dns", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower" + ], + "ip": [ + "10.0.100.30", + "10.0.1.20" + ], + "user": [ + "testuser" + ] + }, + "rule": { + "name": "Test-Rule-1", + "ruleset": "ACP-Access" + }, + "source": { + "address": "10.0.100.30", + "bytes": 31, + "ip": "10.0.100.30", + "packets": 1, + "port": 56799 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "testuser", + "name": "testuser" + } + }, + { + "@timestamp": "2025-09-01T14:00:03.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": [ + "ACP-Management", + "Default Deny" + ], + "security": { + "endpoint_profile": "Invalid ID" + }, + "security_event": { + "ac_policy": "ACP-Management", + "access_control_rule_action": "Block", + "access_control_rule_name": "Default Deny", + "destination_security_group": "9", + "destination_security_group_tag": "9", + "dst_ip": "10.0.1.20", + "dst_port": 22, + "egress_interface": "outside", + "first_packet_second": "2025-09-01T14:00:03Z", + "ingress_interface": "inside", + "initiator_bytes": 70, + "initiator_packets": 1, + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Management Prefilter Policy", + "protocol": "tcp", + "responder_bytes": 0, + "responder_packets": 0, + "source_security_group": "2005", + "source_security_group_tag": "2005", + "source_security_group_type": "Session Directory", + "src_ip": "10.0.100.30", + "src_port": 56799 + }, + "source_interface": "inside" + } + }, + "destination": { + "address": "10.0.1.20", + "bytes": 0, + "ip": "10.0.1.20", + "packets": 0, + "port": 22 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "connection-started", + "category": [ + "network" + ], + "code": "430002", + "kind": "event", + "original": "2025-09-01T14:00:00Z firepower : %FTD-6-430002: EventPriority: Low, DeviceUUID: d697c8ca-9fe4-43e6-aeb5-33e277e5ffea, InstanceID: 4, FirstPacketSecond: 2025-09-01T14:00:03Z, ConnectionID: 36584, AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 56799, DstPort: 22, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, SourceSecurityGroup: 2005, SourceSecurityGroupTag: 2005, DestinationSecurityGroup: 9, DestinationSecurityGroupTag: 9, SourceSecurityGroupType: Session Directory, DestinationSecurityGroupType: SXP, IngressVRF: Global, EgressVRF: Global, Endpoint Profile: Invalid ID, ACPolicy: ACP-Management, AccessControlRuleName: Default Deny, Prefilter Policy: Management Prefilter Policy, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 70, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", + "outcome": "success", + "severity": 6, + "start": "2025-09-01T14:00:03Z", + "timezone": "UTC", + "type": [ + "connection", + "start", + "denied" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 70, + "community_id": "1:jcSnhrPf/GVREflEdymeibE8U/A=", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower" + ], + "ip": [ + "10.0.100.30", + "10.0.1.20" + ] + }, + "rule": { + "name": "Default Deny", + "ruleset": "ACP-Management" + }, + "source": { + "address": "10.0.100.30", + "bytes": 70, + "ip": "10.0.100.30", + "packets": 1, + "port": 56799 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "severity": 7, + "timezone": "UTC" + }, + "log": { + "level": "debug" + }, + "observer": { + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} diff --git a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml index ba800a99838..189bd8e3669 100644 --- a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -1260,6 +1260,15 @@ processors: DstPort: target: dst_port ecs: [destination.port] + DestinationIP_DynamicAttribute: + target: destination_ip_dynamic_attribute + id: ["430002", "430003"] + DestinationSecurityGroup: + target: destination_security_group + id: ["430002", "430003"] + DestinationSecurityGroupTag: + target: destination_security_group_tag + id: ["430002", "430003"] EgressInterface: target: egress_interface id: ["430001", "430002", "430003"] @@ -1475,6 +1484,15 @@ processors: SperoDisposition: target: spero_disposition id: ["430004", "430005"] + SourceSecurityGroup: + target: source_security_group + id: ["430002", "430003"] + SourceSecurityGroupTag: + target: source_security_group_tag + id: ["430002", "430003"] + SourceSecurityGroupType: + target: source_security_group_type + id: ["430002", "430003"] SrcIP: target: src_ip ecs: [source.address] @@ -1565,6 +1583,9 @@ processors: 'dns_record_type', 'dns_response_type', 'dns_ttl', + 'destination_ip_dynamic_attribute', + 'destination_security_group', + 'destination_security_group_tag', 'dst_ip', 'dst_port', 'egress_interface', @@ -1595,6 +1616,9 @@ processors: 'responder_bytes', 'responder_packets', 'sha_disposition', + 'source_security_group', + 'source_security_group_tag', + 'source_security_group_type', 'spero_disposition', 'src_ip', 'src_port', diff --git a/packages/cisco_ftd/data_stream/log/fields/fields.yml b/packages/cisco_ftd/data_stream/log/fields/fields.yml index 083fa46fa6d..823653ebfa1 100644 --- a/packages/cisco_ftd/data_stream/log/fields/fields.yml +++ b/packages/cisco_ftd/data_stream/log/fields/fields.yml @@ -201,6 +201,15 @@ type: ip - name: dst_port type: integer + - name: destination_ip_dynamic_attribute + type: keyword + description: Destination IP dynamic attribute (EPG information) + - name: destination_security_group + type: keyword + description: Destination Security Group Tag (SGT) + - name: destination_security_group_tag + type: keyword + description: Destination Security Group Tag number - name: egress_interface type: keyword - name: egress_zone @@ -259,6 +268,15 @@ type: keyword - name: spero_disposition type: keyword + - name: source_security_group + type: keyword + description: Source Security Group Tag (SGT) + - name: source_security_group_tag + type: keyword + description: Source Security Group Tag number + - name: source_security_group_type + type: keyword + description: Source Security Group Tag type - name: src_ip type: ip - name: src_port diff --git a/packages/cisco_ftd/docs/README.md b/packages/cisco_ftd/docs/README.md index 942115e17c0..8880037cd63 100644 --- a/packages/cisco_ftd/docs/README.md +++ b/packages/cisco_ftd/docs/README.md @@ -240,6 +240,9 @@ An example event for `log` looks as following: | cisco.ftd.security_event.client | | keyword | | cisco.ftd.security_event.client_version | | keyword | | cisco.ftd.security_event.connection_duration | | integer | +| cisco.ftd.security_event.destination_ip_dynamic_attribute | Destination IP dynamic attribute (EPG information) | keyword | +| cisco.ftd.security_event.destination_security_group | Destination Security Group Tag (SGT) | keyword | +| cisco.ftd.security_event.destination_security_group_tag | Destination Security Group Tag number | keyword | | cisco.ftd.security_event.dns_query | | keyword | | cisco.ftd.security_event.dns_record_type | | keyword | | cisco.ftd.security_event.dns_response_type | | keyword | @@ -274,6 +277,9 @@ An example event for `log` looks as following: | cisco.ftd.security_event.responder_bytes | | long | | cisco.ftd.security_event.responder_packets | | integer | | cisco.ftd.security_event.sha_disposition | | keyword | +| cisco.ftd.security_event.source_security_group | Source Security Group Tag (SGT) | keyword | +| cisco.ftd.security_event.source_security_group_tag | Source Security Group Tag number | keyword | +| cisco.ftd.security_event.source_security_group_type | Source Security Group Tag type | keyword | | cisco.ftd.security_event.spero_disposition | | keyword | | cisco.ftd.security_event.src_ip | | ip | | cisco.ftd.security_event.src_port | | integer | diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml index 214bf524c31..cc02ff1e3e2 100644 --- a/packages/cisco_ftd/manifest.yml +++ b/packages/cisco_ftd/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_ftd title: Cisco FTD -version: "3.10.2" +version: "3.10.3" description: Collect logs from Cisco FTD with Elastic Agent. type: integration categories: diff --git a/packages/cisco_ftd/pr.md b/packages/cisco_ftd/pr.md new file mode 100644 index 00000000000..390a69e5fe4 --- /dev/null +++ b/packages/cisco_ftd/pr.md @@ -0,0 +1,75 @@ +## Summary +This PR adds support for parsing 6 Security Group Tag (SGT) and Endpoint Group (EPG) fields from Cisco FTD connection event syslog messages (message IDs 430002 and 430003). + +## Related Issue +Fixes #15204 + +## Problem +The Cisco FTD integration was not parsing SGT/EGT-related fields from connection event messages. These fields were present in the `event.original` field but were not being extracted into structured, queryable fields, making it difficult to search and analyze security group information in Elastic. + +## Example Logs (Sanitized for Testing) + +Based on the logs provided in issue #15204, here are the sanitized test cases used in our pipeline tests: + +**Example 1 - Connection End Event (430003):** +``` +2025-09-01T12:00:00Z firepower : %FTD-6-430003: EventPriority: Low, DeviceUUID: d697c8ca-9fe4-43e6-aeb5-33e277e5ffea, InstanceID: 11, FirstPacketSecond: 2025-09-01T12:35:00Z, ConnectionID: 39416, AccessControlRuleAction: Trust, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 56799, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, SourceSecurityGroup: SGT_TEST_GROUP, SourceSecurityGroupTag: 2003, SourceSecurityGroupType: Session Directory, DestinationIP_DynamicAttribute: APIC_EPG_TEST_GROUP, IngressVRF: Global, EgressVRF: Global, Endpoint Profile: Workstation:Microsoft-Workstation:Windows11-Workstation, ACPolicy: ACP-Access, AccessControlRuleName: Test-Rule-1, Prefilter Policy: Default Prefilter Policy, User: testuser, Client: DNS, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 31, ResponderBytes: 238, NAPPolicy: Balanced Security and Connectivity +``` + +**Example 2 - Connection Start Event (430002):** +``` +2025-09-01T14:00:00Z firepower : %FTD-6-430002: EventPriority: Low, DeviceUUID: d697c8ca-9fe4-43e6-aeb5-33e277e5ffea, InstanceID: 4, FirstPacketSecond: 2025-09-01T14:00:03Z, ConnectionID: 36584, AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 56799, DstPort: 22, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, SourceSecurityGroup: 2005, SourceSecurityGroupTag: 2005, DestinationSecurityGroup: 9, DestinationSecurityGroupTag: 9, SourceSecurityGroupType: Session Directory, DestinationSecurityGroupType: SXP, IngressVRF: Global, EgressVRF: Global, Endpoint Profile: Invalid ID, ACPolicy: ACP-Management, AccessControlRuleName: Default Deny, Prefilter Policy: Management Prefilter Policy, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 70, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity +``` + +These logs demonstrate the SGT/EPG fields that were previously not being parsed. Note: IPs and interface names have been sanitized for security. + +## Solution +Added parsing support for the following 6 fields: + +| Field | Target Field | Type | Description | +|-------|---------------|------|-------------| +| `SourceSecurityGroup` | `cisco.ftd.security_event.source_security_group` | keyword | Security Group of the source | +| `SourceSecurityGroupTag` | `cisco.ftd.security_event.source_security_group_tag` | keyword | Numeric SGT attribute of source | +| `SourceSecurityGroupType` | `cisco.ftd.security_event.source_security_group_type` | keyword | Source SGT type (Inline, Session Directory, SXP) | +| `DestinationIP_DynamicAttribute` | `cisco.ftd.security_event.destination_ip_dynamic_attribute` | keyword | Destination IP dynamic attribute (EPG info) | +| `DestinationSecurityGroup` | `cisco.ftd.security_event.destination_security_group` | keyword | Security Group of the destination | +| `DestinationSecurityGroupTag` | `cisco.ftd.security_event.destination_security_group_tag` | keyword | Numeric SGT attribute of destination | + +## Changes Made + +### 1. Ingest Pipeline ([default.yml](data_stream/log/elasticsearch/ingest_pipeline/default.yml)) +- Added 6 field mappings in the script processor params section +- Added field targets to `security_event_list` array to ensure fields are placed in `cisco.ftd.security_event` group (consistent with other connection event fields) +- Fields are configured for message IDs `["430002", "430003"]` + +### 2. Field Definitions ([fields.yml](data_stream/log/fields/fields.yml)) +- Added 6 field definitions under `cisco.ftd.security_event` group +- All fields typed as `keyword` to support both string and numeric values +- Added descriptions based on official Cisco documentation + +### 3. Testing +- Created new test file [test-sgt.log](data_stream/log/_dev/test/pipeline/test-sgt.log) with 2 sample connection events containing SGT/EGT fields +- Test covers both 430002 (connection start) and 430003 (connection end) message types +- Validates extraction of both string values (e.g., `"SGT_TEST_GROUP"`) and numeric values (e.g., `"2005"`) +- All 39 pipeline tests passing ✅ + +## Implementation Notes +Fields are placed in `cisco.ftd.security_event` rather than the legacy `cisco.ftd.security` field for consistency and maintainability. +All new fields use `keyword` type to handle both string and numeric values. + +## Testing Performed +- [x] Pipeline tests pass (39/39) +- [x] Fields extract correctly +- [x] Correct ECS placement +- [x] No regressions + +## References +- Issue: #15204 +- Cisco Documentation: [Cisco Secure Firewall Threat Defense Syslog Messages — Connection Event Field Descriptions](https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/fptd_syslog_guide/security-event-syslog-messages.html#id_87692) + +## Checklist +- [x] Field definitions added +- [x] Pipeline updated +- [x] Tests added +- [x] Docs/links included +- [x] All tests passing