cisco_asa,cisco_ftd: retain source and destination user emails if pre…

…sent
elastic · Jan 16, 2024 · 329eabb · 329eabb
1 parent 0b694bd
commit 329eabb
Show file tree

Hide file tree

Showing 12 changed files with 65 additions and 9 deletions.
diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.30.0"
+  changes:
+    - description: Retain email address of source and destination user.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/8898
 - version: "2.29.0"
   changes:
     - description: Support spaces and special characters in usernames.

diff --git a/...es/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json b/...es/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json
@@ -581,6 +581,7 @@
                 "ip": "192.168.0.1",
                 "user": {
                     "domain": "example.com",
+                    "email": "foo.bar@example.com",
                     "group": {
                         "name": "GroupPolicy_Employee"
                     },

diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json
@@ -5509,6 +5509,7 @@
                 "port": 12312,
                 "user": {
                     "domain": "domain.tld",
+                    "email": "user@domain.tld",
                     "name": "user"
                 }
             },
@@ -5639,6 +5640,7 @@
                 "ip": "175.16.199.1",
                 "user": {
                     "domain": "domain.tld",
+                    "email": "user@domain.tld",
                     "name": "user"
                 }
             },
@@ -5701,6 +5703,7 @@
                 "ip": "67.43.156.15",
                 "user": {
                     "domain": "domain.tld",
+                    "email": "user@domain.tld",
                     "name": "user"
                 }
             },

diff --git a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -1811,11 +1811,13 @@ processors:
       if: 'ctx.source?.user?.name != null'
       tag: "grok_source_user_name"
       patterns:
+        - (%{CISCO_DOMAIN})?%{CISCO_USER_EMAIL:source.user.email}
         - (%{CISCO_DOMAIN})?%{CISCO_USER}
         - \*+
       pattern_definitions:
         USERNAME: "[^@$]+"
-        CISCO_USER: "%{USERNAME:source.user.name}(@%{HOSTNAME:source.user.domain})?"
+        CISCO_USER_EMAIL: "%{CISCO_USER}@%{HOSTNAME:source.user.domain}"
+        CISCO_USER: "%{USERNAME:source.user.name}"
         CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)?
       on_failure:
         - append:
@@ -1828,10 +1830,12 @@ processors:
       tag: "grok_destination_user_name"
       if: 'ctx?.destination?.user?.name != null'
       patterns:
+        - (%{CISCO_DOMAIN})?%{CISCO_USER_EMAIL:destination.user.email}
         - (%{CISCO_DOMAIN})?%{CISCO_USER}
       pattern_definitions:
         USERNAME: "[^@$]+"
-        CISCO_USER: "%{USERNAME:destination.user.name}(@%{HOSTNAME:destination.user.domain})?"
+        CISCO_USER_EMAIL: "%{CISCO_USER}@%{HOSTNAME:destination.user.domain}"
+        CISCO_USER: "%{USERNAME:destination.user.name}"
         CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)?
       on_failure:
         - append:

diff --git a/packages/cisco_asa/data_stream/log/fields/ecs.yml b/packages/cisco_asa/data_stream/log/fields/ecs.yml
@@ -44,6 +44,8 @@
   name: destination.port
 - external: ecs
   name: destination.user.domain
+- external: ecs
+  name: destination.user.email
 - external: ecs
   name: destination.user.name
 - external: ecs
@@ -208,6 +210,8 @@
   name: source.port
 - external: ecs
   name: source.user.domain
+- external: ecs
+  name: source.user.email
 - external: ecs
   name: source.user.name
 - external: ecs

diff --git a/packages/cisco_asa/docs/README.md b/packages/cisco_asa/docs/README.md
@@ -222,6 +222,7 @@ An example event for `log` looks as following:
 | destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
 | destination.port | Port of the destination. | long |
 | destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| destination.user.email | User email address. | keyword |
 | destination.user.name | Short name or login of the user. | keyword |
 | destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
 | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
@@ -335,6 +336,7 @@ An example event for `log` looks as following:
 | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
 | source.port | Port of the source. | long |
 | source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| source.user.email | User email address. | keyword |
 | source.user.group.name | Name of the group. | keyword |
 | source.user.name | Short name or login of the user. | keyword |
 | source.user.name.text | Multi-field of `source.user.name`. | match_only_text |

diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.0"
 name: cisco_asa
 title: Cisco ASA
-version: "2.29.0"
+version: "2.30.0"
 description: Collect logs from Cisco ASA with Elastic Agent.
 type: integration
 categories:

diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.1.0"
+  changes:
+    - description: Retain email address of source and destination user.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/8898
 - version: "3.0.3"
   changes:
     - description: Added nullcheck for Network Directionality when zones aren't configured

diff --git a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -1721,24 +1721,44 @@ processors:
       field: destination.user.name
       value: "{{{ _temp_.cisco.destination_username }}}"
       if: 'ctx?.destination?.user?.name == null && ctx?._temp_?.cisco?.destination_username != null'
+  # Support masked user value
   - grok:
       field: "source.user.name"
-      if: 'ctx?.source?.user?.name != null'
-      ignore_failure: true
+      if: 'ctx.source?.user?.name != null'
+      tag: "grok_source_user_name"
       patterns:
+        - (%{CISCO_DOMAIN})?%{CISCO_USER_EMAIL:source.user.email}
         - (%{CISCO_DOMAIN})?%{CISCO_USER}
+        - \*+
       pattern_definitions:
-        CISCO_USER: "%{USERNAME:source.user.name}(@%{HOSTNAME:source.user.domain})?"
+        USERNAME: "[^@$]+"
+        CISCO_USER_EMAIL: "%{CISCO_USER}@%{HOSTNAME:source.user.domain}"
+        CISCO_USER: "%{USERNAME:source.user.name}"
         CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)?
+      on_failure:
+        - append:
+            field: error.message
+            value: "fail-{{{ _ingest.on_failure_processor_tag }}}"
+        - fail:
+            message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"
   - grok:
       field: "destination.user.name"
+      tag: "grok_destination_user_name"
       if: 'ctx?.destination?.user?.name != null'
-      ignore_failure: true
       patterns:
+        - (%{CISCO_DOMAIN})?%{CISCO_USER_EMAIL:destination.user.email}
         - (%{CISCO_DOMAIN})?%{CISCO_USER}
       pattern_definitions:
-        CISCO_USER: "%{USERNAME:destination.user.name}(@%{HOSTNAME:destination.user.domain})?"
+        USERNAME: "[^@$]+"
+        CISCO_USER_EMAIL: "%{CISCO_USER}@%{HOSTNAME:destination.user.domain}"
+        CISCO_USER: "%{USERNAME:destination.user.name}"
         CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)?
+      on_failure:
+        - append:
+            field: error.message
+            value: "fail-{{{ _ingest.on_failure_processor_tag }}}"
+        - fail:
+            message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"
 
   #
   # Normalize protocol names

diff --git a/packages/cisco_ftd/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/data_stream/log/fields/ecs.yml
@@ -44,6 +44,10 @@
   name: destination.packets
 - external: ecs
   name: destination.port
+- external: ecs
+  name: destination.user.domain
+- external: ecs
+  name: destination.user.email
 - external: ecs
   name: destination.user.name
 - external: ecs
@@ -259,6 +263,10 @@
   name: source.packets
 - external: ecs
   name: source.port
+- external: ecs
+  name: source.user.domain
+- external: ecs
+  name: source.user.email
 - external: ecs
   name: source.user.name
 - external: ecs

diff --git a/packages/cisco_ftd/docs/README.md b/packages/cisco_ftd/docs/README.md
@@ -347,6 +347,8 @@ An example event for `log` looks as following:
 | destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
 | destination.packets | Packets sent from the destination to the source. | long |
 | destination.port | Port of the destination. | long |
+| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| destination.user.email | User email address. | keyword |
 | destination.user.name | Short name or login of the user. | keyword |
 | destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
 | device.manufacturer | The vendor name of the device manufacturer. | keyword |
@@ -487,6 +489,8 @@ An example event for `log` looks as following:
 | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
 | source.packets | Packets sent from the source to the destination. | long |
 | source.port | Port of the source. | long |
+| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| source.user.email | User email address. | keyword |
 | source.user.group.name | Name of the group. | keyword |
 | source.user.name | Short name or login of the user. | keyword |
 | source.user.name.text | Multi-field of `source.user.name`. | match_only_text |

diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.0"
 name: cisco_ftd
 title: Cisco FTD
-version: "3.0.3"
+version: "3.1.0"
 description: Collect logs from Cisco FTD with Elastic Agent.
 type: integration
 categories: