Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cisco ASA] Support patterns with SGT tag:name as username #8205

Merged
merged 10 commits into from Oct 23, 2023
Merged

[Cisco ASA] Support patterns with SGT tag:name as username #8205

merged 10 commits into from Oct 23, 2023

Conversation

kcreddy
Copy link
Contributor

@kcreddy kcreddy commented Oct 16, 2023
edited

Proposed commit message

When using Cisco ASA with the SXP protocol and SGT-tags to write firewall rules, the format of the idfw_user is presented in their logs as SGT-tag:SGT-name. Multiple message_id are now required to support this change.

Sample log: <140>Oct 06 2023 09:22:19 myAsaHostname : %ASA-4-106023: Deny tcp src outside:192.168.2.2/51982(9999:my_SgtName) dst inside:192.168.2.3/443 by access-group \"outside_access_in\" [0x2a9e189a, 0x0] which will fail with existing GROK patterns as (9999:my_SgtName) is not handled.

Fixed by updating CISCO_USER pattern in each of these messages to support SGT-tag:SGT-name

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Related issues

Screenshots

@kcreddy kcreddy changed the title Support patterns with SGT name in Cisco ASA [Cisco ASA] Support patterns with SGT tag:name as username Oct 16, 2023
@elasticmachine
Copy link

elasticmachine commented Oct 16, 2023
edited

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-10-17T10:31:23.231+0000

  • Duration: 17 min 42 sec

Test stats 🧪

Test Results
Failed 0
Passed 24
Skipped 0
Total 24

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@kcreddy kcreddy marked this pull request as ready for review October 16, 2023 16:53
@kcreddy kcreddy requested a review from a team as a code owner October 16, 2023 16:54
@kcreddy kcreddy self-assigned this Oct 16, 2023
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@elasticmachine
Copy link

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (1/1) 💚
Files 100.0% (1/1) 💚
Classes 100.0% (1/1) 💚
Methods 94.444% (17/18) 👍 2.981
Lines 69.616% (1597/2294) 👎 -26.695
Conditionals 100.0% (0/0) 💚

@kcreddy kcreddy requested a review from efd6 October 17, 2023 11:57
@kcreddy kcreddy merged commit f70d984 into elastic:main Oct 23, 2023
4 checks passed
@elasticmachine
Copy link

Package cisco_asa - 2.26.1 containing this change is available at https://epr.elastic.co/search?package=cisco_asa

2 similar comments
@elasticmachine
Copy link

Package cisco_asa - 2.26.1 containing this change is available at https://epr.elastic.co/search?package=cisco_asa

@elasticmachine
Copy link

Package cisco_asa - 2.26.1 containing this change is available at https://epr.elastic.co/search?package=cisco_asa

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@kcreddy kcreddy

Labels
bugfix Integration:CiscoASA Cisco ASA
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kcreddy @elasticmachine @efd6