Skip to content

[cisco_asa] Extract specific fields from message ids 717022, 751025 #14150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dwhyrock merged 7 commits into from
Jun 6, 2025
Merged

[cisco_asa] Extract specific fields from message ids 717022, 751025 #14150

dwhyrock merged 7 commits into from
Jun 6, 2025

Conversation

@jrmolin
Copy link
Contributor

@jrmolin jrmolin commented Jun 4, 2025
edited
Loading

Proposed commit message

[cisco_asa] Add specific parsing for 717022, 751025

  • Add message-id-specific parsing for the two message ids
  • Further extract x509 fields, according to ECS
  • no existing tests fail; new data passes

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

git clone --depth 1 https://github.com/elastic/integrations cd integrations/packages/cisco_asa elastic-package build && elastic-package test

Related issues

Screenshots
@jrmolin jrmolin added Integration:cisco_asa Cisco ASA bugfix Pull request that fixes a bug issue Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Jun 4, 2025
@jrmolin jrmolin marked this pull request as ready for review June 4, 2025 19:25
@jrmolin jrmolin requested a review from a team as a code owner June 4, 2025 19:25
@elasticmachine
Copy link

elasticmachine commented Jun 4, 2025

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)
@jrmolin jrmolin mentioned this pull request Jun 4, 2025
Closed
taylor-swanson
taylor-swanson reviewed Jun 5, 2025
View reviewed changes
packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 1282 to 1314
description: >-
Sets the parts to the correct names
params:
"ST":
name: "state_or_province"
"S":
name: "state_or_province"
"P":
name: "state_or_province"
"CN":
name: "common_name"
"C":
name: "country"
"L":
name: "locality"
"O":
name: "organization"
"OU":
name: "organizational_unit"
source: |
def subject = new HashMap();
def parts = ctx._temp_.cisco.dn_parts;
for (entry in params.entrySet()) {
def k = entry.getKey();
def _v = entry.getValue();
if (parts.containsKey(k)) {
def v = parts[k];
List values = (v instanceof List) ? v : [v]; // `[v]` is a Painless list literal
subject[_v["name"]] = values;
}
}
ctx._temp_.cisco.dn_parts = subject;
if: 'ctx._temp_.cisco?.dn_parts != null'
Copy link
Contributor

@taylor-swanson taylor-swanson Jun 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like this can be simplified.

Suggested change
description: >-
Sets the parts to the correct names
params:
"ST":
name: "state_or_province"
"S":
name: "state_or_province"
"P":
name: "state_or_province"
"CN":
name: "common_name"
"C":
name: "country"
"L":
name: "locality"
"O":
name: "organization"
"OU":
name: "organizational_unit"
source: |
def subject = new HashMap();
def parts = ctx._temp_.cisco.dn_parts;
for (entry in params.entrySet()) {
def k = entry.getKey();
def _v = entry.getValue();
if (parts.containsKey(k)) {
def v = parts[k];
List values = (v instanceof List) ? v : [v]; // `[v]` is a Painless list literal
subject[_v["name"]] = values;
}
}
ctx._temp_.cisco.dn_parts = subject;
if: 'ctx._temp_.cisco?.dn_parts != null'
tag: script_distinguished_name_parts
description: >-
Sets the parts to the correct names
params:
"ST": "state_or_province"
"S": "state_or_province"
"P": "state_or_province"
"CN": "common_name"
"C": "country"
"L": "locality"
"O": "organization"
"OU": "organizational_unit"
source: |
if (ctx._temp_?.cisco?.dn_parts == null) {
return;
}
def parts = [:];
ctx._temp_.cisco.dn_parts.forEach((k, v) -> { if (params.containsKey(k)) { parts[params[k]] = v; } else return false; });
ctx._temp_.cisco.dn_parts = parts;
Copy link
Contributor Author

@jrmolin jrmolin Jun 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, i was doing other things at first. simplifying is good.
@jrmolin jrmolin requested a review from taylor-swanson June 5, 2025 17:16
taylor-swanson
taylor-swanson reviewed Jun 5, 2025
View reviewed changes
packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml Outdated
}
});
ctx._temp_.cisco.dn_parts = parts;
if: 'ctx._temp_.cisco?.dn_parts != null'
Copy link
Contributor

@taylor-swanson taylor-swanson Jun 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line is redundant since the main script already checks for null. (if statements are painless scripts as well, so it's not like the if statement is going to be any faster).

Suggested change
if: 'ctx._temp_.cisco?.dn_parts != null'
Copy link
Contributor Author

@jrmolin jrmolin Jun 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh; i didn't know that about if statements. i thought it would be faster not to spin up an environment, but it definitely isn't. i understand now.
Copy link
Contributor Author

@jrmolin jrmolin Jun 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i made this change yesterday, but somehow forgot to push it after it passed my local testing.
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jun 5, 2025
edited
Loading

🚀 Benchmarks report

Package cisco_asa 👍(0) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
log 1079.91 818.33 -261.58 (-24.22%) 💔

To see the full report comment with /test benchmark fullreport
@jrmolin jrmolin requested a review from taylor-swanson June 6, 2025 12:05
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Jun 6, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube
@elasticmachine
Copy link

elasticmachine commented Jun 6, 2025

💚 Build Succeeded

History
@dwhyrock dwhyrock merged commit 44c64a2 into elastic:main Jun 6, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jun 6, 2025

Package cisco_asa - 2.43.5 containing this change is available at https://epr.elastic.co/package/cisco_asa/2.43.5/
@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jul 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:cisco_asa Cisco ASA Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices]

6 participants

@jrmolin @elasticmachine @mjwolf @taylor-swanson @andrewkroh @dwhyrock