[Cisco ASA] Fix GROK adding support to usernames ending with "$" (#8362)

* Support usernames ending with "$"

Author: kcreddy

packages/cisco_asa/changelog.yml

@@ -1,4 +1,18 @@
 # newer versions go on top
+- version: "2.27.1"
+ changes:
+ - description: Support usernames ending with "$".
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/8362
+ - description: Add "User was not found" as reason to 113015.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/8362
+ - description: Allow source to be a domain or an IP inside 313005.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/8362
+ - description: Create non-capturing groups for CISCO_USER GROK pattern
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/8362
 - version: "2.27.0"
  changes:
  - description: Improve 'event.original' check to avoid errors if set.

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json

@@ -801,6 +801,7 @@
  }
  },
  "destination": {
+ "address": "192.168.2.3",
  "ip": "192.168.2.3",
  "port": 10872
  },
@@ -861,6 +862,7 @@
  ]
  },
  "source": {
+ "address": "192.168.2.2",
  "ip": "192.168.2.2",
  "port": 53
  },
@@ -879,6 +881,7 @@
  }
  },
  "destination": {
+ "address": "192.168.2.3",
  "ip": "192.168.2.3",
  "port": 10872
  },
@@ -943,6 +946,7 @@
  ]
  },
  "source": {
+ "address": "192.168.2.2",
  "ip": "192.168.2.2",
  "port": 53,
  "user": {
@@ -968,6 +972,7 @@
  }
  },
  "destination": {
+ "address": "192.168.2.3",
  "ip": "192.168.2.3",
  "port": 10872
  },
@@ -1032,6 +1037,7 @@
  ]
  },
  "source": {
+ "address": "192.168.2.2",
  "ip": "192.168.2.2",
  "port": 53,
  "user": {
@@ -1054,6 +1060,7 @@
  }
  },
  "destination": {
+ "address": "192.168.2.3",
  "ip": "192.168.2.3"
  },
  "ecs": {
@@ -1115,6 +1122,7 @@
  ]
  },
  "source": {
+ "address": "192.168.2.2",
  "ip": "192.168.2.2"
  },
  "tags": [
@@ -1133,6 +1141,7 @@
  }
  },
  "destination": {
+ "address": "192.168.2.3",
  "ip": "192.168.2.3"
  },
  "ecs": {
@@ -1198,6 +1207,7 @@
  ]
  },
  "source": {
+ "address": "192.168.2.2",
  "ip": "192.168.2.2"
  },
  "tags": [

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sgt-tag-name.log

@@ -14,4 +14,13 @@
 <142>Oct 06 2023 10:30:18 myAsaHostname : %ASA-6-302016: Teardown UDP connection 79784719 for outside:192.168.2.2/60556(9999:my_SgtName) to inside:192.168.2.3/53 duration 0:00:00 bytes 221
 <142>Oct 06 2023 10:34:45 myAsaHostname : %ASA-6-302020: Built outbound ICMP connection for faddr 192.168.2.2/0(9999:my_SgtName) gaddr 192.168.2.3/1 laddr 192.168.2.3/1 type 8 code 0 
 <142>Oct 06 2023 10:32:10 myAsaHostname : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/29(LOCAL\myUser1234, 9999:my_SgtName) gaddr 192.168.2.3/0 laddr 192.168.2.3/0 (myUser1234) type 8 code 0 
-<140>Oct 06 2023 10:33:23 myAsaHostname : %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:192.168.2.2(LOCAL\myUser1234, 9999:my_SgtName) dst inside:192.168.2.3 (type 3, code 3) on outside interface. Original IP payload: udp src 192.168.2.3/53 dst 192.168.2.2/54860.
+<140>Oct 06 2023 10:33:23 myAsaHostname : %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:192.168.2.2(LOCAL\myUser1234, 9999:my_SgtName) dst inside:192.168.2.3 (type 3, code 3) on outside interface. Original IP payload: udp src 192.168.2.3/53 dst 192.168.2.2/54860.
+<142>Oct 25 2023 14:27:06 myAsaHostname : %ASA-6-302013: Built inbound TCP connection 101086093 for outside:192.168.2.2/56824 (192.168.2.2/56824)(LOCAL\myUser1234$, 9999:my_SgtName) to inside:192.168.2.3/443 (192.168.2.3/443) (myUser1234$)
+<142>Oct 25 2023 14:22:19 myAsaHostname : %ASA-6-302014: Teardown TCP connection 63490259 for outside:192.168.2.2/49786(LOCAL\myUser1234$, 9999:my_SgtName) to inside:192.168.2.3/5985 duration 0:00:30 bytes 0 SYN Timeout (myUser1234$)
+<142>Oct 25 2023 14:29:02 myAsaHostname : %ASA-6-302015: Built inbound UDP connection 101095490 for outside:192.168.2.2/61219 (192.168.2.2/61219)(LOCAL\myUser1234$, 9999:my_SgtName) to inside:192.168.2.3/53 (192.168.2.3/53) (myUser1234$)
+<142>Oct 25 2023 14:30:31 myAsaHostname : %ASA-6-302016: Teardown UDP connection 101101684 for outside:192.168.2.2/62253(LOCAL\myUser1234$, 9999:my_SgtName) to inside:192.168.2.3/53 duration 0:00:00 bytes 216 (myUser1234$)
+<142>Oct 25 2023 14:32:55 myAsaHostname : %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.2.2/1(LOCAL\myUser1234$, 9999:my_SgtName) gaddr 192.168.2.3/0 laddr 192.168.2.3/0 (myUser1234$) type 8 code 0 
+<142>Oct 25 2023 14:27:04 myAsaHostname : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/1(LOCAL\myUser1234$, 9999:my_SgtName) gaddr 192.168.2.3/0 laddr 192.168.2.3/0 (myUser1234$) type 8 code 0 
+<140>Oct 25 2023 06:53:06 myAsaHostname : %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:192.168.2.2(LOCAL\myUser1234$, 9999:my_SgtName) dst inside:192.168.2.3 (type 3, code 3) on outside interface. Original IP payload: udp src 192.168.2.3/53 dst 192.168.2.2/55735.
+<142>Oct 25 2023 14:35:37 myAsaHostname : %ASA-6-113015: AAA user authentication Rejected : reason = User was not found : local database : user = ***** : user IP = 192.168.2.2
+<164>Oct 25 2023 14:40:42 myAsaHostname : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:192.168.2.2 dst outside:myComputer1.myDomain.com (type 3, code 3) on inside interface. Original IP payload: udp src myComputer1.myDomain.com/53 dst 192.168.2.2/58164.