[cisco_ftd] Add network and dns ECS fields

[LaZyDK]

What does this PR do?

This will sum up source.bytes and destination.bytes into network.bytes, along with extracting dns.question.registered_domain from dns.question.name.
user.name will be removed if the string is "Not Found".

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-03-28T07:23:50.629+0000

• Duration: 20 min 31 sec

Test stats 🧪

Test	Results
Failed	0
Passed	20
Skipped	0
Total	20

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[efd6]

/test

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (1/1)	💚
Classes	100.0% (1/1)	💚
Methods	100.0% (19/19)	💚
Lines	67.861% (1288/1898)	❕
Conditionals	100.0% (0/0)	💚

[LaZyDK]

I need help fixing usernames from FTD integrated with Passive Authentication.
This will generate the user.name with the format:
STRING\username

The string can be a custom description of the domain used for user lookup, but it is not required to be an actual domain name. (Eg. AD or COMPANYAD etc.)
I am using this in a custom pipeline, but I am not sure this is the correct way to implement the fix for example when the data source is Cisco ASA and not FTD.
(?:%{DATA}\\)?%{GREEDYDATA:user.name}

[efd6]

The pipeline test expects need to be updated for this.

Also needs additions to fields/ecs.yml:

[0] field "dns.question.registered_domain" is undefined
[1] field "dns.question.subdomain" is undefined
[2] field "dns.question.top_level_domain" is undefined

[efd6]

For #5522 (comment) do you have examples where they would differ and how that would cause an issue?

[LaZyDK]

For #5522 (comment) do you have examples where they would differ and how that would cause an issue?

I cannot comprehend the different options here, hence me asking.
Looking at some Cisco ASA data i find the user.name field filled with different things like:

• real usernames (when cisco.asa.destination_username: LOCAL\user then user.name: user)
• IPv4 addresses from Site2site tunnels (event.code: 602304)
• "DefaultL2LGroup" and "Unknown" from IKEv2 tunnels (event.code: 750002 and 750003)

[efd6]

Yeah, you really need to glean that on a case-by-case basis from the Cisco documentation.

[efd6]

/test

[LaZyDK]

My mistake.

[efd6]

/test

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

Needs an elastic-package build.

[LaZyDK]

Ready for review

[efd6]

/test

[LaZyDK]

should be good now

[efd6]

/test

[efd6]

Can you provide test cases for the new event.outcome classifications?

[LaZyDK]

Can you provide test cases for the new event.outcome classifications?

Added test case for event.outcome "monitor".
Still need to find events for "trust", "block with reset" and "domain not found".

[LaZyDK]

Added test cases for event.outcome "trust" and "block with reset".
Still need to find event for "domain not found".

[LaZyDK]

I found another value for event.outcome, so now I am looking for test data for both "pass" and "domain not found".

[LaZyDK]

I need help fixing usernames from FTD integrated with Passive Authentication. This will generate the user.name with the format: STRING\username

The string can be a custom description of the domain used for user lookup, but it is not required to be an actual domain name. (Eg. AD or COMPANYAD etc.) I am using this in a custom pipeline, but I am not sure this is the correct way to implement the fix for example when the data source is Cisco ASA and not FTD. (?:%{DATA}\\)?%{GREEDYDATA:user.name}

Fixed with this: https://github.com/elastic/integrations/pull/5522/files#diff-753433e478ec043eaee29b5dcd39b3f7153a0f858323be73401e0e1aab3e7255R2137

[efd6]

/test

[efd6]

LGTM with minor nit.

[LaZyDK]

Minor nit removed. All good from here. Ready to go.

[elasticmachine]

Package cisco_ftd - 2.9.2 containing this change is available at https://epr.elastic.co/search?package=cisco_ftd