From 22070e49c3718e267303d31a889f486264280c1d Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Wed, 20 Nov 2024 12:17:52 -0500 Subject: [PATCH] [cisco_ftd] Fixed grok errors on ftd message ID 305006. Added additional matching patterns per specification. (#11780) * Fixed grok errors on ftd message ID 305006. Added additional matching pattern per specification. * Updated changelog with PR number --- packages/cisco_ftd/changelog.yml | 5 + .../pipeline/test-asa-fix.log-expected.json | 2 +- .../test/pipeline/test-asa.log-expected.json | 2 +- .../test/pipeline/test-dns.log-expected.json | 2 +- .../pipeline/test-filtered.log-expected.json | 2 +- ...est-firepower-management.log-expected.json | 2 +- .../_dev/test/pipeline/test-ftd-305006.log | 27 + .../test-ftd-305006.log-expected.json | 3185 +++++++++++++++++ ...est-ftd-endpoint-profile.log-expected.json | 2 +- .../pipeline/test-ftd-fix.log-expected.json | 2 +- ...est-ftd-inbound-outbound.log-expected.json | 2 +- .../test-ftd-session.log-expected.json | 2 +- ...ftd-username-with-spaces.log-expected.json | 2 +- .../pipeline/test-intrusion.log-expected.json | 2 +- .../test-no-type-id.log-expected.json | 2 +- .../pipeline/test-not-ip.log-expected.json | 2 +- .../pipeline/test-sample.log-expected.json | 2 +- ...test-security-connection.log-expected.json | 2 +- ...st-security-file-malware.log-expected.json | 2 +- ...st-security-malware-site.log-expected.json | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 5 +- packages/cisco_ftd/manifest.yml | 2 +- 22 files changed, 3238 insertions(+), 20 deletions(-) create mode 100644 packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-305006.log create mode 100644 packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-305006.log-expected.json diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml index 6aba51aed19..ffa5805809a 100644 --- a/packages/cisco_ftd/changelog.yml +++ b/packages/cisco_ftd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.4.4" + changes: + - description: Fixed grok errors on ftd message ID 305006. Added additional matching pattern per specification. + type: bugfix + link: https://github.com/elastic/integrations/pull/11780 - version: "3.4.3" changes: - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json index 809c741fcbe..73ce4c5c00b 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -439,4 +439,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json index 5769fe99632..cf58496456a 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json @@ -22248,4 +22248,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json index ed7fb87c0c5..2461d1e1735 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json @@ -3046,4 +3046,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json index 960b781f146..b55c4c55637 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json @@ -86,4 +86,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json index 95d80e57386..3bfdfc14895 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json @@ -1246,4 +1246,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-305006.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-305006.log new file mode 100644 index 00000000000..63f82f3267f --- /dev/null +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-305006.log @@ -0,0 +1,27 @@ +<163>%FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 dst WAN-PROV:81.2.69.200 (type 3, code 0) +<163>%FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 dst WAN-PROV:81.2.69.200/9234 (type 3, code 0) +<163>%FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 dst WAN-PROV:81.2.69.200/9234 (type 3, code 0) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195(LOCAL\esurbey) dst Internet:81.2.69.200 (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 (LOCAL\esurbey) dst Internet:81.2.69.200 (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 dst Internet:81.2.69.200(host1\foobar) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 dst Internet:81.2.69.200 (host1\foobar) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195(host1\foobar) dst Internet:81.2.69.200(LOCAL\esurbey) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 (host1\foobar) dst Internet:81.2.69.200 (LOCAL\esurbey) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21(LOCAL\esurbey) dst Internet:81.2.69.200 (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 (LOCAL\esurbey) dst Internet:81.2.69.200 (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 dst Internet:81.2.69.200(host1\foobar) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 dst Internet:81.2.69.200 (host1\foobar) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21(host1\foobar) dst Internet:81.2.69.200(LOCAL\esurbey) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 (host1\foobar) dst Internet:81.2.69.200 (LOCAL\esurbey) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195(LOCAL\esurbey) dst Internet:81.2.69.200/9234 (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 (LOCAL\esurbey) dst Internet:81.2.69.200/9234 (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 dst Internet:81.2.69.200/9234(host1\foobar) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 dst Internet:81.2.69.200/9234 (host1\foobar) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195(host1\foobar) dst Internet:81.2.69.200/9234(LOCAL\esurbey) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 (host1\foobar) dst Internet:81.2.69.200/9234 (LOCAL\esurbey) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21(LOCAL\esurbey) dst Internet:81.2.69.200/9234 (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 (LOCAL\esurbey) dst Internet:81.2.69.200/9234 (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 dst Internet:81.2.69.200/9234(host1\foobar) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 dst Internet:81.2.69.200/9234 (host1\foobar) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21(host1\foobar) dst Internet:81.2.69.200/9234(LOCAL\esurbey) (type 3, code 3) +<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 (host1\foobar) dst Internet:81.2.69.200/9234 (LOCAL\esurbey) (type 3, code 3) diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-305006.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-305006.log-expected.json new file mode 100644 index 00000000000..8727760b630 --- /dev/null +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-305006.log-expected.json @@ -0,0 +1,3185 @@ +{ + "expected": [ + { + "cisco": { + "ftd": { + "destination_interface": "WAN-PROV", + "icmp_code": 0, + "icmp_type": 3, + "source_interface": "any", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<163>%FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 dst WAN-PROV:81.2.69.200 (type 3, code 0)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 20 + }, + "priority": 163, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN-PROV" + } + }, + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "81.2.69.195", + "81.2.69.200" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "port": 21 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cisco": { + "ftd": { + "destination_interface": "WAN-PROV", + "icmp_code": 0, + "icmp_type": 3, + "source_interface": "any", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "port": 9234 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<163>%FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 dst WAN-PROV:81.2.69.200/9234 (type 3, code 0)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 20 + }, + "priority": 163, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN-PROV" + } + }, + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "81.2.69.195", + "81.2.69.200" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cisco": { + "ftd": { + "destination_interface": "WAN-PROV", + "icmp_code": 0, + "icmp_type": 3, + "source_interface": "any", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "port": 9234 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<163>%FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 dst WAN-PROV:81.2.69.200/9234 (type 3, code 0)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 20 + }, + "priority": 163, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN-PROV" + } + }, + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "81.2.69.195", + "81.2.69.200" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "port": 21 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "LOCAL\\esurbey", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195(LOCAL\\esurbey) dst Internet:81.2.69.200 (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "user": { + "name": "esurbey" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "LOCAL\\esurbey", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 (LOCAL\\esurbey) dst Internet:81.2.69.200 (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "user": { + "name": "esurbey" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "host1\\foobar", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 dst Internet:81.2.69.200(host1\\foobar) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "foobar" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "host1\\foobar", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 dst Internet:81.2.69.200 (host1\\foobar) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "foobar" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "LOCAL\\esurbey", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "host1\\foobar", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "user": { + "name": "esurbey" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195(host1\\foobar) dst Internet:81.2.69.200(LOCAL\\esurbey) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey", + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "esurbey" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "LOCAL\\esurbey", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "host1\\foobar", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "user": { + "name": "esurbey" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 (host1\\foobar) dst Internet:81.2.69.200 (LOCAL\\esurbey) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey", + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "esurbey" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "LOCAL\\esurbey", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21(LOCAL\\esurbey) dst Internet:81.2.69.200 (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "port": 21, + "user": { + "name": "esurbey" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "LOCAL\\esurbey", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 (LOCAL\\esurbey) dst Internet:81.2.69.200 (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "port": 21, + "user": { + "name": "esurbey" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "host1\\foobar", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 dst Internet:81.2.69.200(host1\\foobar) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "port": 21 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "foobar" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "host1\\foobar", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 dst Internet:81.2.69.200 (host1\\foobar) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "port": 21 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "foobar" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "LOCAL\\esurbey", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "host1\\foobar", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "user": { + "name": "esurbey" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21(host1\\foobar) dst Internet:81.2.69.200(LOCAL\\esurbey) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey", + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "port": 21, + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "esurbey" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "LOCAL\\esurbey", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "host1\\foobar", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "user": { + "name": "esurbey" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 (host1\\foobar) dst Internet:81.2.69.200 (LOCAL\\esurbey) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey", + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "port": 21, + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "esurbey" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "LOCAL\\esurbey", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "port": 9234 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195(LOCAL\\esurbey) dst Internet:81.2.69.200/9234 (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "user": { + "name": "esurbey" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "LOCAL\\esurbey", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "port": 9234 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 (LOCAL\\esurbey) dst Internet:81.2.69.200/9234 (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "user": { + "name": "esurbey" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "host1\\foobar", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "port": 9234, + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 dst Internet:81.2.69.200/9234(host1\\foobar) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "foobar" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "host1\\foobar", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "port": 9234, + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 dst Internet:81.2.69.200/9234 (host1\\foobar) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "foobar" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "LOCAL\\esurbey", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "host1\\foobar", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "port": 9234, + "user": { + "name": "esurbey" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195(host1\\foobar) dst Internet:81.2.69.200/9234(LOCAL\\esurbey) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey", + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "esurbey" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "LOCAL\\esurbey", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "host1\\foobar", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "port": 9234, + "user": { + "name": "esurbey" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195 (host1\\foobar) dst Internet:81.2.69.200/9234 (LOCAL\\esurbey) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey", + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "esurbey" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "LOCAL\\esurbey", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "port": 9234 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21(LOCAL\\esurbey) dst Internet:81.2.69.200/9234 (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "port": 21, + "user": { + "name": "esurbey" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "LOCAL\\esurbey", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "port": 9234 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 (LOCAL\\esurbey) dst Internet:81.2.69.200/9234 (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "port": 21, + "user": { + "name": "esurbey" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "host1\\foobar", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "port": 9234, + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 dst Internet:81.2.69.200/9234(host1\\foobar) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "port": 21 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "foobar" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "host1\\foobar", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "port": 9234, + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 dst Internet:81.2.69.200/9234 (host1\\foobar) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "port": 21 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "foobar" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "LOCAL\\esurbey", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "host1\\foobar", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "port": 9234, + "user": { + "name": "esurbey" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21(host1\\foobar) dst Internet:81.2.69.200/9234(LOCAL\\esurbey) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey", + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "port": 21, + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "esurbey" + } + }, + { + "@timestamp": "2024-11-14T16:18:47.000Z", + "cisco": { + "ftd": { + "destination_interface": "Internet", + "destination_username": "LOCAL\\esurbey", + "icmp_code": 3, + "icmp_type": 3, + "source_interface": "any", + "source_username": "host1\\foobar", + "translation_type": "regular" + } + }, + "destination": { + "address": "81.2.69.200", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.200", + "port": 9234, + "user": { + "name": "esurbey" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "305006", + "kind": "event", + "original": "<131>Nov 14 16:18:47 firepower : %FTD-3-305006: regular translation creation failed for icmp src any:81.2.69.195/21 (host1\\foobar) dst Internet:81.2.69.200/9234 (LOCAL\\esurbey) (type 3, code 3)", + "severity": 3, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "error", + "syslog": { + "facility": { + "code": 16 + }, + "priority": 131, + "severity": { + "code": 3 + } + } + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Internet" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "any" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower", + "host1" + ], + "ip": [ + "81.2.69.195", + "81.2.69.200" + ], + "user": [ + "esurbey", + "foobar" + ] + }, + "source": { + "address": "81.2.69.195", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.195", + "port": 21, + "user": { + "domain": "host1", + "name": "foobar" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "esurbey" + } + } + ] +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-endpoint-profile.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-endpoint-profile.log-expected.json index 8b56a73c512..7cbdc979e5b 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-endpoint-profile.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-endpoint-profile.log-expected.json @@ -5799,4 +5799,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json index 5298b09d97a..ccd71efbffb 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json @@ -2028,4 +2028,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log-expected.json index e09b9e8ac87..0247b67250a 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log-expected.json @@ -923,4 +923,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-session.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-session.log-expected.json index 683026fd8d9..377640d8040 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-session.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-session.log-expected.json @@ -68,4 +68,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-username-with-spaces.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-username-with-spaces.log-expected.json index e2a906d7cde..24b68a0757a 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-username-with-spaces.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-username-with-spaces.log-expected.json @@ -56,4 +56,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json index 7098b9196e7..70bbf413469 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json @@ -453,4 +453,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json index 90b28f3fea1..fe4fa841e71 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json @@ -281,4 +281,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json index 08bf83fde90..903eee58ea0 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json @@ -249,4 +249,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json index 141ac1217f3..d965d6fac9a 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json @@ -5604,4 +5604,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json index 30889becec1..cd049302e1b 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json @@ -1923,4 +1923,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json index b860c544969..030df2dd7e0 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json @@ -1243,4 +1243,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json index 355f84ae377..6e1bf35dfcb 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json @@ -175,4 +175,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml index f3380a12f94..1f65ab6a205 100644 --- a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -435,12 +435,13 @@ processors: if: "ctx._temp_.cisco.message_id == '305006'" field: "message" description: "305006" - tag: "305013" + tag: "305006" patterns: - - "^%{NOTSPACE:_temp_.cisco.translation_type} translation creation failed for %{NOTSPACE:network.protocol} src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address} dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address} \\(type %{NUMBER:_temp_.cisco.icmp_type}, code %{NUMBER:_temp_.cisco.icmp_code}\\)$" + - '^%{NOTSPACE:_temp_.cisco.translation_type} translation creation failed for %{NOTSPACE:network.protocol} src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{NUMBER:source.port})?(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{NUMBER:destination.port})?(\s*\(%{CISCO_USER:_temp_.cisco.destination_username}\))? \(type %{NUMBER:_temp_.cisco.icmp_type}, code %{NUMBER:_temp_.cisco.icmp_code}\)$' pattern_definitions: NOTCOLON: "[^:]*" IPORHOST: "(?:%{IP}|%{HOSTNAME})" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - grok: if: "ctx._temp_.cisco.message_id == '305012'" field: "message" diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml index ec909e3635d..bb3cf200cdc 100644 --- a/packages/cisco_ftd/manifest.yml +++ b/packages/cisco_ftd/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_ftd title: Cisco FTD -version: "3.4.3" +version: "3.4.4" description: Collect logs from Cisco FTD with Elastic Agent. type: integration categories: