[cisco_ftd] Include NAT IPs and ports from security event messages (elastic#14892)

taylor-swanson · robester0403 · commit df785e4972b3 · 2025-08-14T16:05:32.000-04:00
- Include the source and destination NAT IPs and ports from security
event messages (430002 and 430003)
diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.10.0"
+  changes:
+    - description: Include NAT IPs and ports from security event messages.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14892
 - version: "3.9.4"
   changes:
     - description: Fix parsing for message ID 746012 and 746013.
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log
@@ -14,3 +14,4 @@ Aug 14 2019 15:09:41 siem-ftd  %FTD-1-430003: AccessControlRuleAction: Block, Ac
 2023-03-27T12:26:00Z  : %FTD-1-430001: DeviceUUID: 00009fd0-de50-11ea-b566-e4821b710000, InstanceID: 8, FirstPacketSecond: 2023-03-27T12:26:00Z, ConnectionID: 1309, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 54967, DstPort: 80, Protocol: tcp, IngressInterface: Inside, EgressInterface: Outside, IngressZone: Inside, EgressZone: Outside, Priority: 3, GID: 119, SID: 6, Revision: 3, Message: (http_inspect) URI has two-byte or three-byte UTF-8 encoding, Classification: Not Suspicious Traffic, User: Not Found, IntrusionPolicy: Inline IPS Policy, ACPolicy: FTD-ACP, AccessControlRuleName: PassRule, NAPPolicy: Balanced Security and Connectivity, InlineResult: Pass, IngressVRF: Global, EgressVRF: Global
 2019-08-16T09:33:15Z firepower  %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 3000000000, ResponderBytes: 3000000000, NAPPolicy: Balanced Security and Connectivity
 <118>2024-11-08T07:42:25Z  : %FTD-6-430002: EventPriority: Low, DeviceUUID: abcd-1234-efgh-111-abcd1234, InstanceID: 7, FirstPacketSecond: 2024-11-08T07:42:25Z, ConnectionID: 53493, AccessControlRuleAction: Allow, SrcIP: 89.160.20.156, DstIP: 89.160.20.112, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: GRT, EgressInterface: Azure-S2S, IngressZone: GRT, EgressZone: Azure, IngressVRF: Global, EgressVRF: Global, ACPolicy: internet-access-policy, AccessControlRuleName: LOGI -> Azure TEST, Prefilter Policy: Default Prefilter Policy, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 102, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, ClientAppDetector: AppID, EncryptPeerIP: 67.43.156.0, VPN_Action: Encrypt
+2019-08-15T16:07:19Z firepower  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, NAT_InitiatorIP: 10.1.1.1, NAT_InitiatorPort: 40000, NAT_ResponderIP: 192.168.1.1, NAT_ResponderPort: 50000, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json
@@ -2105,6 +2105,180 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2019-08-15T16:07:19.000Z",
+            "cisco": {
+                "ftd": {
+                    "destination_interface": "outside",
+                    "rule_name": [
+                        "default",
+                        "Rule-1"
+                    ],
+                    "security": {
+                        "nat_dst_ip": "192.168.1.1",
+                        "nat_dst_port": "50000",
+                        "nat_src_ip": "10.1.1.1",
+                        "nat_src_port": "40000"
+                    },
+                    "security_event": {
+                        "ac_policy": "default",
+                        "access_control_rule_action": "Allow",
+                        "access_control_rule_name": "Rule-1",
+                        "application_protocol": "HTTP",
+                        "client": "Advanced Packaging Tool",
+                        "client_version": "1.3",
+                        "connection_duration": 1,
+                        "dst_ip": "81.2.69.144",
+                        "dst_port": 80,
+                        "egress_interface": "outside",
+                        "egress_zone": "output-zone",
+                        "http_response": 200,
+                        "ingress_interface": "inside",
+                        "ingress_zone": "input-zone",
+                        "initiator_bytes": 97454,
+                        "initiator_packets": 1359,
+                        "nap_policy": "Balanced Security and Connectivity",
+                        "prefilter_policy": "Default Prefilter Policy",
+                        "protocol": "tcp",
+                        "referenced_host": "eu-central-1.ec2.archive.ubuntu.com",
+                        "responder_bytes": 41319018,
+                        "responder_packets": 29001,
+                        "src_ip": "10.0.1.20",
+                        "src_port": 43228,
+                        "url": "http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb",
+                        "user": "No Authentication Required",
+                        "user_agent": "Debian APT-HTTP/1.3 (1.6.11)",
+                        "web_application": "Ubuntu"
+                    },
+                    "source_interface": "inside"
+                }
+            },
+            "destination": {
+                "address": "81.2.69.144",
+                "bytes": 41319018,
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144",
+                "nat": {
+                    "ip": "192.168.1.1",
+                    "port": 50000
+                },
+                "packets": 29001,
+                "port": 80
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "action": "connection-finished",
+                "category": [
+                    "network"
+                ],
+                "code": "430003",
+                "duration": 1000000000,
+                "end": "2019-08-15T16:07:19.000Z",
+                "kind": "event",
+                "original": "2019-08-15T16:07:19Z firepower  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, NAT_InitiatorIP: 10.1.1.1, NAT_InitiatorPort: 40000, NAT_ResponderIP: 192.168.1.1, NAT_ResponderPort: 50000, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb",
+                "outcome": "success",
+                "severity": 1,
+                "start": "2019-08-15T16:07:18.000Z",
+                "timezone": "UTC",
+                "type": [
+                    "connection",
+                    "end",
+                    "allowed"
+                ]
+            },
+            "host": {
+                "hostname": "firepower"
+            },
+            "http": {
+                "response": {
+                    "status_code": 200
+                }
+            },
+            "log": {
+                "level": "alert"
+            },
+            "network": {
+                "application": [
+                    "advanced packaging tool",
+                    "ubuntu"
+                ],
+                "bytes": 41416472,
+                "community_id": "1:e9BEufDTrN3BbL6412GOz3SWm5w=",
+                "iana_number": "6",
+                "protocol": "http",
+                "transport": "tcp"
+            },
+            "observer": {
+                "egress": {
+                    "interface": {
+                        "name": "outside"
+                    },
+                    "zone": "output-zone"
+                },
+                "hostname": "firepower",
+                "ingress": {
+                    "interface": {
+                        "name": "inside"
+                    },
+                    "zone": "input-zone"
+                },
+                "product": "ftd",
+                "type": "idps",
+                "vendor": "Cisco"
+            },
+            "related": {
+                "hosts": [
+                    "firepower"
+                ],
+                "ip": [
+                    "10.0.1.20",
+                    "10.1.1.1",
+                    "81.2.69.144",
+                    "192.168.1.1"
+                ]
+            },
+            "rule": {
+                "name": "Rule-1",
+                "ruleset": "default"
+            },
+            "source": {
+                "address": "10.0.1.20",
+                "bytes": 97454,
+                "ip": "10.0.1.20",
+                "nat": {
+                    "ip": "10.1.1.1",
+                    "port": 40000
+                },
+                "packets": 1359,
+                "port": 43228
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "url": {
+                "domain": "eu-central-1.ec2.archive.ubuntu.com",
+                "extension": "deb",
+                "original": "http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb",
+                "path": "/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb",
+                "scheme": "http"
+            },
+            "user_agent": {
+                "original": "Debian APT-HTTP/1.3 (1.6.11)"
+            }
         }
     ]
 }
diff --git a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -1367,6 +1367,22 @@ processors:
           target: message
           id: ["430001"]
           ecs: [message]
+        NAT_InitiatorIP:
+          target: nat_src_ip
+          id: ["430002", "430003"]
+          ecs: [ source.nat.ip ]
+        NAT_InitiatorPort:
+          target: nat_src_port
+          id: ["430002", "430003"]
+          ecs: [ source.nat.port ]
+        NAT_ResponderIP:
+          target: nat_dst_ip
+          id: ["430002", "430003"]
+          ecs: [ destination.nat.ip ]
+        NAT_ResponderPort:
+          target: nat_dst_port
+          id: ["430002", "430003"]
+          ecs: [ destination.nat.port ]
         NAPPolicy:
           target: nap_policy
           id: ["430001", "430002", "430003"]
diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: cisco_ftd
 title: Cisco FTD
-version: "3.9.4"
+version: "3.10.0"
 description: Collect logs from Cisco FTD with Elastic Agent.
 type: integration
 categories:
