cisco_asa, cisco_ftd: wrong classification of event 302020

[leandrojmp]

Hello,

We are using the ingest pipelines of some integrations as the basis as how we should classify our events in our Logstash Pipelines.

We have logs from both Cisco ASA and Cisco FTD, and while checking the ingest pipelines of those integrations I noticed that at least one cisco message id has a wrong classification.

The message id 302020 is, according to the Cisco documentation, a Built event, which would mean that a session was established, but in the ingest pipeline of both ASA and FTD, it is being treated as a Teardown event, which would mean that a session was terminated.

This part of the ingest pipeline for the cisco asa integration, sets the field event.action for event 302020 as flow-expiration.

  - set:
      if: '["305012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)'
      field: "event.action"
      value: "flow-expiration"
      description: "305012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002"

The action for the 302020 event should be flow-creation.

Further in the pipeline the value of the event.action is used to create the field event.kind, event.category and event.type, so the event 302020 would have the following event fields.

• event.action: flow-expiration
• event.kind: event
• event.category: network
• event.type: [connection, end]

I think that the correct values for those fields should be:

• event.action: flow-creation
• event.kind: event
• event.category: network
• event.type: [connection, start]

This happens with the Cisco ASA integration, the Cisco FTD integration and also the Cisco ASA/FTD module in Filebeat.

• [x] cisco_asa
• [x] cisco_ftd
• [x] Filebeat Cisco module

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)