Merge branch 'main' into azure-integration-cloud-connector-type

Author: amirbenun

go.mod

@@ -13,7 +13,7 @@ require (
 github.com/magefile/mage v1.15.0
 github.com/pkg/errors v0.9.1
 github.com/stretchr/testify v1.11.1
-golang.org/x/mod v0.27.0
+golang.org/x/mod v0.28.0
 golang.org/x/tools v0.36.0
 gopkg.in/yaml.v3 v3.0.1
 )

go.sum

@@ -677,8 +677,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
+golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=

packages/cisco_asa/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.43.8"
+ changes:
+ - description: Support special characters in interface name in 315011 messages.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/15242
 - version: "2.43.7"
  changes:
  - description: Support IPv6 addresses in 750002 and 750003 messages.

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log

@@ -128,6 +128,7 @@ May 5 19:02:25 dev01: %ASA-6-716039: Group <malcorp group> User <malory> IP <17
 <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-315011: SSH session from 10.1.2.1 on interface inside for user USER_1 disconnected by SSH server, reason: Out of memory
 <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-315011: SSH session from 10.1.2.3 on interface inside for user "user-test" terminated normally.
 <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-315011: SSH session from 10.1.2.3 on interface inside for user "*****" disconnected by SSH server, reason: "Time-out activated" (0x91)
+<140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-315011: SSH session from 10.1.2.3 on interface int-with-hyphen for user "user-test" terminated normally.
 <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-721016: (DEVICE_1) WebVPN session for client user USER_1, IP 10.20.0.1 has been created.
 <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-721018: (DEVICE_1) WebVPN session for client user USER_1, IP 10.20.0.1 has been deleted.
 <140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-5-722028: Group <GROUP 1> User <USER 1> IP <10.20.0.1> Stale SVC connection closed.

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json

@@ -9159,6 +9159,78 @@
  "preserve_original_event"
  ]
  },
+ {
+ "@timestamp": "2023-10-03T16:40:40.000Z",
+ "cisco": {
+ "asa": {
+ "source_interface": "int-with-hyphen"
+ }
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "ssh-session-ended",
+ "category": [
+ "network"
+ ],
+ "code": "315011",
+ "kind": "event",
+ "original": "<140>Oct 03 2023 16:40:40 myAsaHostname : %ASA-6-315011: SSH session from 10.1.2.3 on interface int-with-hyphen for user \"user-test\" terminated normally.",
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "connection",
+ "end"
+ ]
+ },
+ "host": {
+ "hostname": "myAsaHostname"
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "facility": {
+ "code": 17
+ },
+ "priority": 140,
+ "severity": {
+ "code": 4
+ }
+ }
+ },
+ "observer": {
+ "hostname": "myAsaHostname",
+ "ingress": {
+ "interface": {
+ "name": "int-with-hyphen"
+ }
+ },
+ "product": "asa",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "hosts": [
+ "myAsaHostname"
+ ],
+ "ip": [
+ "10.1.2.3"
+ ],
+ "user": [
+ "user-test"
+ ]
+ },
+ "source": {
+ "ip": "10.1.2.3",
+ "user": {
+ "name": "user-test"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
  {
  "@timestamp": "2023-10-03T16:40:40.000Z",
  "cisco": {

packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -669,8 +669,8 @@ processors:
  field: "message"
  description: "315011"
  patterns:
- - 'SSH session from %{IP:source.ip} on interface %{WORD:_temp_.cisco.source_interface} for user %{CISCO_USER} disconnected by SSH server, reason: %{GREEDYDATA:event.reason}'
- - 'SSH session from %{IP:source.ip} on interface %{WORD:_temp_.cisco.source_interface} for user %{CISCO_USER} terminated normally'
+ - 'SSH session from %{IP:source.ip} on interface %{NOTSPACE:_temp_.cisco.source_interface} for user %{CISCO_USER} disconnected by SSH server, reason: %{GREEDYDATA:event.reason}'
+ - 'SSH session from %{IP:source.ip} on interface %{NOTSPACE:_temp_.cisco.source_interface} for user %{CISCO_USER} terminated normally'
  pattern_definitions:
  CISCO_USER: '\"?(?:\*{5}|%{USERNAME:source.user.name})\"?'
  - dissect:

packages/cisco_asa/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: cisco_asa
 title: Cisco ASA
-version: "2.43.7"
+version: "2.43.8"
 description: Collect logs from Cisco ASA with Elastic Agent.
 type: integration
 categories:

packages/dga/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.3.3"
+ changes:
+ - description: Remove instructions to change the `default_pipeline` for an index
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/15229
 - version: "2.3.2"
  changes:
  - description: Correct typo in Readme

packages/dga/docs/README.md

@@ -60,14 +60,6 @@ For more detailed information refer to the following blogs:
  ```
  - If the `@custom` component template already exists, you will need to edit it to add mappings for data to be properly enriched. Click the three dots next to it and select **Edit**. 
  ![Component Templates](../img/component-templates-edit.png)
- - On the index settings step, add the following. Be sure to change `<VERSION>` to the current package version.
- ```
- {
- "index": {
- "default_pipeline": "<VERSION>-ml_dga_ingest_pipeline"
- }
- }
- ```
  - Proceed to the mappings step in the UI. Click **Add Field** at the bottom of the page and create an an `Object` field for `ml_is_dga`. 
  ![Component Templates](../img/field1.png)
  - Finally create two properties under `ml_is_dga`.

packages/dga/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.4
 name: dga
 title: "Domain Generation Algorithm Detection"
-version: 2.3.2
+version: 2.3.3
 source:
  license: "Elastic-2.0"
 description: "ML solution package to detect domain generation algorithm (DGA) activity in your network data."