[SIEM] Fix Cisco ASA and FTD message 106001 producing bad network.direction #13903
Conversation
In some case network.direction can be `Inbound` instead of `inbound` as expected. This happens with message 106001 in the ASA and FTD. Fixes elastic#13891
| @@ -960,6 +960,9 @@ processors: | |||
| - lowercase: | |||
| field: "file.type" | |||
| ignore_failure: true | |||
| - lowercase: | |||
| field: "network.direction" | |||
There was a problem hiding this comment.
@adriansr Make sure the possible values are actually one of those listed for network.direction in ECS https://www.elastic.co/guide/en/ecs/current/ecs-network.html
E.g. If Cisco has "Inbound", then just lowercasing that is fine. But if instead of "unknown" they have "Unavailable", then just the lowercasing doesn't get you there completely :-)
There was a problem hiding this comment.
Yes, in these logs the direction is not a variable but a hardcoded part of the message, like "Deny inbound {protocol} for {ip}", and then there is another similar message with a different code for "Deny outbound {protocol} for {ip}". Just with message 106001, the direction was at the beginning of the message so it started with an uppercase character.
…ection (elastic#13903) In some case network.direction can be `Inbound` instead of `inbound` as expected. This happens with message 106001 in the ASA and FTD. Fixes elastic#13891 (cherry picked from commit e40fbdd)
…e 106001 producing bad network.direction (elastic#13912) In some case network.direction can be `Inbound` instead of `inbound` as expected. This happens with message 106001 in the ASA and FTD. Fixes elastic#13891
In some case network.direction can be
Inboundinstead ofinboundas expected. This happens only with message 106001 in the ASA and FTD.
Fixes #13891