search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
41 stars 453 forks source link

[Cisco FTD]: 430003 Incorrect Time Calculation #11657

Open sarrgi opened 3 weeks ago

sarrgi commented 3 weeks ago

Integration Name

Cisco FTD [cisco_ftd]

Dataset Name

cisco.ftd

Integration Version

3.4.3

Agent Version

8.7.1

Agent Output Type

elasticsearch

Elasticsearch Version

8.12.1

OS Version and Architecture

Ubuntu 22.04 LTS (x86_64)

Software/API Version

No response

Error Message

No response

Event Original

%FTD-6-430003: EventPriority: Low, DeviceUUID: 00000000-0000-0000-0000-000000000000, InstanceID: 0, FirstPacketSecond: 2024-10-30T05:07:41Z, ConnectionID: 0, AccessControlRuleAction: Allow, SrcIP: 0.0.0.0, DstIP: 0.0.0.0, SrcPort: 0, DstPort: 0, Protocol: tcp, IngressInterface: redacted, EgressInterface: redacted, IngressZone: redacted, EgressZone: redacted, IngressVRF: redacted, EgressVRF: redacted, ACPolicy: redacted, AccessControlRuleName: redacted, Prefilter Policy: redacted, User: Not Found, ConnectionDuration: 429384, InitiatorPackets: 1507065, ResponderPackets: 2092306, InitiatorBytes: 378041802, ResponderBytes: 1365498843, NAPPolicy: redacted, ClientAppDetector: AppID

What did you do?

Standard configuration - not too relevant is this is specifically related to the Ingest Pipeline.

What did you see?

The values for event.start and event.end are incorrectly calculated, specifically observed for the FTD event syslog message 430003" This is further explained below (What did you expect to see?)

What I see: Image

What did you expect to see?

According to Cisco Secure Firewall Threat Defense Syslog Messages , FirstPacketSecond is "the time the system encountered the first packet", and ConnectionDuration is "the number of seconds between the first packet and the last packet". As such, we would expect the time of event.start to match FirstPacketSecond, and event.end to match event.start plus ConnectionDuration. However, event.end matches FirstPacketSecond, and event.start is equal to FirstPacketSecond minus ConnectionDuration.

What I expected to see: Image

Anything else?

I have adjusted the relevant script processor in my local instance of Elasticsearch. This is how I generated the "What I expect to see" image.

I am happy to implement the changes in the appropriate pull request here too.

elasticmachine commented 3 weeks ago

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

qcorporation commented 2 weeks ago

Notes: I need to reference the docs for the duration field