Skip to content

[cisco_asa] Improve ECS categorizations #9616

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
taylor-swanson merged 5 commits into from
May 15, 2024
Merged

[cisco_asa] Improve ECS categorizations #9616

taylor-swanson merged 5 commits into from
May 15, 2024

Conversation

@taylor-swanson
Copy link
Contributor

@taylor-swanson taylor-swanson commented Apr 16, 2024
edited
Loading

This is part 2 of a 2 part change. This PR improves the ECS categorizations for various message types. Existing messages have been improved and new message types have been added where necessary.

For an overview of the different message types, see this spreadsheet.

Proposed commit message

  • Improve ECS categorizations for messages

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

cd packages/cisco_asa elastic-package test

Related issues
@taylor-swanson taylor-swanson added enhancement New feature or request Integration:cisco_asa Cisco ASA Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Apr 16, 2024
@taylor-swanson taylor-swanson self-assigned this Apr 16, 2024
@elasticmachine
Copy link

elasticmachine commented Apr 16, 2024

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport
@taylor-swanson
[cisco_asa] Improve ECS categorizations
284847c 
- Improve ECS categorizations for messages
@taylor-swanson taylor-swanson marked this pull request as ready for review April 23, 2024 13:18
@taylor-swanson taylor-swanson requested a review from a team as a code owner April 23, 2024 13:18
@elasticmachine
Copy link

elasticmachine commented Apr 23, 2024

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)
gogochan
gogochan reviewed Apr 23, 2024
View reviewed changes
packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml Outdated
"304001":
type: [ connection, allowed ]
type: [ access, allowed ]
action: url-access
Copy link
Contributor

@gogochan gogochan Apr 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On Google sheet, event.action is firewall-rule, but here, it is url-access. I don't think this was noted anywhere. It would be helpful it is.
gogochan
gogochan reviewed Apr 23, 2024
View reviewed changes
packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml Outdated
type: [ connection, denied ]
action: drop
outcome: unknown
type: [ denied ]
Copy link
Contributor

@gogochan gogochan Apr 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

on google sheet, it says connection for type.
@taylor-swanson
Copy link
Contributor Author

taylor-swanson commented Apr 23, 2024

I think the table of mappings I had is a bit out of date. I think I need to do a run through again and make sure everything's up-to-date.
@taylor-swanson taylor-swanson marked this pull request as draft April 23, 2024 18:51
@taylor-swanson
Copy link
Contributor Author

taylor-swanson commented Apr 29, 2024

/test
@taylor-swanson taylor-swanson marked this pull request as ready for review April 29, 2024 18:01
@taylor-swanson
Copy link
Contributor Author

taylor-swanson commented Apr 29, 2024

A few changes I made:

  • The spreadsheet and pipeline should now be in sync with each other
  • Split the script into two, one for outcome-based assignment, and one for general assignment.
  • Improved categorizations here and there, but feel free to comment in either the pipeline or spreadsheet.

Overall, I think event.action may need some additional review, but the other categorizations should be good at this point.
pkoutsovasilis
pkoutsovasilis approved these changes May 15, 2024
View reviewed changes
Copy link
Contributor

@pkoutsovasilis pkoutsovasilis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

except one question I added, this LGTM
jrmolin
jrmolin approved these changes May 15, 2024
View reviewed changes
Copy link
Contributor

@jrmolin jrmolin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤞
@elasticmachine
Copy link

elasticmachine commented May 15, 2024

💚 Build Succeeded

History

cc @taylor-swanson
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented May 15, 2024

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube
@taylor-swanson taylor-swanson merged commit a5d082a into elastic:main May 15, 2024
@taylor-swanson taylor-swanson deleted the enhance/cisco-asa-apply-categorizations branch May 15, 2024 13:54
@elasticmachine
Copy link

elasticmachine commented May 15, 2024

Package cisco_asa - 2.34.0 containing this change is available at https://epr.elastic.co/search?package=cisco_asa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request Integration:cisco_asa Cisco ASA Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices]

5 participants

@taylor-swanson @elasticmachine @jrmolin @gogochan @pkoutsovasilis