[Cisco FTD] Convert source.bytes and network.bytes to integer for proper calculation of network.bytes

[MakoWish]

Type of change

• Bug

What does this PR do?

The values of source.bytes and network.bytes may enter the pipeline as string values instead of integers. This is causing the combination of strings instead of addition of integers in the calculation of network.bytes. This PR adds two convert processors immediately before the network.bytes calculation to ensure both source.bytes and destination.bytes are integers.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• Tested Ingest Pipeline modifications locally

Related issues

• Closes [Cisco FTD] Miscalculation of network.bytes due to String Values Instead of Integers #5858

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-04-18T22:13:55.125+0000

• Duration: 18 min 18 sec

Test stats 🧪

Test	Results
Failed	0
Passed	20
Skipped	0
Total	20

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

/test

[efd6]

This looks fine, but it would be great to add a pipeline test to keep us honest.

[MakoWish]

This looks fine, but it would be great to add a pipeline test to keep us honest.

You just need some sanitized sample events?

[efd6]

If you're unable to add the tests yourself, then yes, that's what's needed.

[efd6]

/test

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (1/1)	💚
Classes	100.0% (1/1)	💚
Methods	100.0% (19/19)	💚
Lines	67.996% (1296/1906)	👎 -27.188
Conditionals	100.0% (0/0)	💚

[efd6]

It looks like the tests already in place cover this. Are you able to regenerate the expectations?

[MakoWish]

Here are a few:

<143>2023-04-17T22:22:39Z FW-BLDG1-1  %FTD-7-430002: EventPriority: Low, DeviceUUID: f25f0cae-520d-11ec-b5f5-0000000000ee, InstanceID: 1, FirstPacketSecond: 2023-04-17T22:22:39Z, ConnectionID: 12345, AccessControlRuleAction: Block, SrcIP: 192.168.1.97, DstIP: 8.8.8.8, SrcPort: 56627, DstPort: 443, Protocol: tcp, IngressInterface: IF-Inside, EgressInterface: IF-Outside, IngressZone: internal, EgressZone: external, IngressVRF: Global, EgressVRF: Global, ACPolicy: FTD-A-POL-1, AccessControlRuleName: Default Action, Prefilter Policy: Default Prefilter Policy, User: CONTOSO\jdoe, Client: Chrome, ClientVersion: 111.0.0.0, ApplicationProtocol: HTTP, WebApplication: Skype, InitiatorPackets: 9, ResponderPackets: 14, InitiatorBytes: 1525, ResponderBytes: 6761, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: Contoso_SSL_Policy, SSLRuleName: decrypt_all, SSLFlowStatus: Success, SSLCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSLCertificate: 5d98effdf71809xxxxxxxxxxxxxxxxd7851af965, SSLVersion: TLSv1.2, SSLServerCertStatus: Valid, SSLActualAction: Decrypt (Resign), SSLExpectedAction: Decrypt (Resign), SSLURLCategory: Computers and Internet, SSLSessionID: 191a2f9df1607775002c35a38c0a27e3d286f2e201a7xxxxxxxxxxxxxxxxxxxx, URLCategory: Computers and Internet, URLReputation: Favorable
Apr 17 2023 22:22:39 FW-BLDG6-1  %FTD-6-430002: EventPriority: Low, DeviceUUID: f25f0cae-520d-11ec-b5f5-2222222222dd, InstanceID: 7, FirstPacketSecond: 2023-04-17T22:22:39Z, ConnectionID: 34567, AccessControlRuleAction: Allow, SrcIP: 192.168.120.30, DstIP: 8.8.4.4, SrcPort: 64326, DstPort: 443, Protocol: tcp, IngressInterface: IF-Inside, EgressInterface: IF-Outside, IngressZone: internal, EgressZone: external, IngressVRF: Global, EgressVRF: Global, ACPolicy: POL-1, AccessControlRuleName: ALL ALLOWED Non-Group, Prefilter Policy: Default Prefilter Policy, User: CONTOSO\foobar, Client: Cisco Secure Endpoint, ApplicationProtocol: HTTPS, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 381, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: AppliedMedical_SSL_Policy, SSLRuleName: am_rsm_servers_exempt, SSLFlowStatus: Success, SSLCipherSuite: Unknown, SSLCertificate: 88954f2521013d1c180baaaaaaaaaaaaaaaaaaaa, SSLVersion: Unknown, SSLServerCertStatus: Valid, SSLActualAction: Do Not Decrypt, SSLExpectedAction: Do Not Decrypt, URLCategory: Computers and Internet, URLReputation: Trusted, URL: https://tetra-defs.amp.cisco.com
<143>2023-04-17T22:22:39Z   %FTD-7-430003: AccessControlRuleAction: Allow, SrcIP: 192.168.100.32, DstIP: 8.8.4.4, SrcPort: 48100, DstPort: 443, Protocol: tcp, IngressInterface: IF-Inside, EgressInterface: IF-Outside, IngressZone: Inside, EgressZone: Outside, ACPolicy: Base_Policy, AccessControlRuleName: All Allowed, Prefilter Policy: Default Prefilter Policy, User: Unknown, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Google APIs, ConnectionDuration: 90, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 638, ResponderBytes: 4950, NAPPolicy: Balanced Security and Connectivity, URLCategory: Computer and Internet Info, URLReputation: Well known, URL: https://storage.googleapis.com
<119>2023-04-17T22:22:39Z FW-BLDG2-2  %FTD-7-430003: EventPriority: Low, DeviceUUID: 01dca86e-d979-11e8-83ae-abcdefghif12, InstanceID: 2, FirstPacketSecond: 2023-04-17T22:22:33Z, ConnectionID: 45678, AccessControlRuleAction: Allow, SrcIP: 192.168.30.40, DstIP: 1.1.2.2, SrcPort: 51544, DstPort: 443, Protocol: tcp, IngressInterface: IF-Inside, EgressInterface: IF-Outside, IngressZone: inside, EgressZone: outside, IngressVRF: Global, EgressVRF: Global, ACPolicy: Base_Policy, AccessControlRuleName: Whitelisted_Access_Websites, Prefilter Policy: Default Prefilter Policy, User: Not Found, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Sharepoint Online, ConnectionDuration: 6, InitiatorPackets: 13, ResponderPackets: 18, InitiatorBytes: 4016, ResponderBytes: 13048, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: None, SSLFlowStatus: Success, SSLCipherSuite: Unknown, SSLCertificate: ff6ca78ac51c0582b77fbbbbbbbbbbbbbbbbbbbb, SSLVersion: Unknown, SSLServerCertStatus: Valid, SSLActualAction: Do Not Decrypt, SSLExpectedAction: Do Not Decrypt, URL: https://contoso.sharepoint.com

Eric

[MakoWish]

Was adding the above sample messages while you responded. How exactly would I regenerate expectations? The expectation is that 1+1=2 instead of 1+1=11.

[efd6]

This requires that you have the elastic-package dev tools and Docker installed. Then you run elastic-package test pipeline -g in the package directory. If you can't do this, let me know and I'll add the required changes.

[MakoWish]

If you wouldn't mind. I will work on getting that setup in the meantime for any future needs.

Eric

[efd6]

/test

[efd6]

thanks

[elasticmachine]

Package cisco_ftd - 2.10.1 containing this change is available at https://epr.elastic.co/search?package=cisco_ftd