The Cisco ASA module in Filebeat does not adhere to ECS 1.4 for the event.outcome field.
According to ECS 1.4 event.outcome should have a value one of the 3 specific keywords:
Important: The field value must be one of the following:
failure, success, unknown
However, events received from this module include values of:
Snippets of some examples:
"log": {
"original": "%ASA-2-106001: Inbound TCP connection denied from <snipped>/56711 to <snipped>/26 flags SYN on interface outside",
"level": "critical"
},
"event": {
"severity": 2,
"timezone": "EST5EDT",
"module": "cisco",
"action": "firewall-rule",
"dataset": "cisco.asa",
"outcome": "denied",
"kind": "signal"
}
"log": {
"original": "%ASA-2-106006: Deny inbound UDP from <snipped>/48749 to <snipped>/4500 on interface outside",
"level": "critical"
},
"event": {
"severity": 2,
"timezone": "EST5EDT",
"module": "cisco",
"action": "firewall-rule",
"dataset": "cisco.asa",
"outcome": "Deny",
"kind": "signal"
}
"log": {
"original": "%ASA-2-106001: Inbound TCP connection denied from <snipped>/43196 to <snipped>/26 flags SYN on interface outside",
"level": "critical"
},
"event": {
"severity": 2,
"timezone": "EST5EDT",
"module": "cisco",
"action": "firewall-rule",
"dataset": "cisco.asa",
"outcome": "deny",
"kind": "signal"
}
This was spotted while filing: elastic/detection-rules#50
- Version: Filebeat 7.8.0
- Operating System: Docker (Alpine underlying OS)
- Steps to Reproduce:
- Setup a Filebeat instance that supports accepting Cisco ASA events
- Setup Cisco ASA with rules designed to block/deny stuff
- Watch as logs get ingested with incorrect event.outcome fields.
The Cisco ASA module in Filebeat does not adhere to ECS 1.4 for the event.outcome field.
According to ECS 1.4 event.outcome should have a value one of the 3 specific keywords:
However, events received from this module include values of:
Snippets of some examples:
This was spotted while filing: elastic/detection-rules#50