Pattern for Cisco Message 734001.

    Fixes elastic#16212
    The split part is needed, because one has to be able to search for an
    explicit dap_record. As the records order and number can vary a lot,
    just saving the whole string makes no sense. I chose "user.email", "source.ip"
    as ECS fields and "cisco.connection_type", "cisco.dap_records",
    as looking to the syslog messages docs,they also call it like that.
    I made "make update" in /beats/x.pack/filebeat and /beats/filebeat.
    Hopefully the pipeline succeeds now.

CHANGELOG.next.asciidoc

@@ -189,6 +189,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Improve ECS categorization field mappings in iptables module. {issue}16166[16166] {pull}16637[16637]
 - Add Filebeat Okta module. {pull}16362[16362]
 - Add custom string mapping to CEF module to support Check Point devices. {issue}16041[16041] {pull}16907[16907]
+- Add pattern for Cisco ASA / FTD Message 734001 {issue}16212[16212]
 
 *Heartbeat*
 

filebeat/docs/fields.asciidoc

@@ -5476,6 +5476,26 @@ type: short
 
 --
 
+*`cisco.asa.connection_type`*::
++
+--
+The VPN connection type
+
+
+type: keyword
+
+--
+
+*`cisco.asa.dap_records`*::
++
+--
+The assigned DAP records
+
+
+type: keyword
+
+--
+
 [float]
 === ftd
 
@@ -5654,6 +5674,26 @@ type: object
 
 --
 
+*`cisco.ftd.connection_type`*::
++
+--
+The VPN connection type
+
+
+type: keyword
+
+--
+
+*`cisco.ftd.dap_records`*::
++
+--
+The assigned DAP records
+
+
+type: keyword
+
+--
+
 [float]
 === ios
 

x-pack/filebeat/module/cisco/asa/_meta/fields.yml

@@ -85,3 +85,13 @@
     type: short
     description: >
       ICMP code.
+
+  - name: connection_type
+    type: keyword
+    description: >
+      The VPN connection type
+
+  - name: dap_records
+    type: keyword
+    description: >
+      The assigned DAP records

x-pack/filebeat/module/cisco/asa/test/dap_records-expected.json

@@ -0,0 +1,18 @@
+{
+    "source": {
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "email": "firstname.lastname@domain.net"
+    },
+    "cisco": {
+      "connection_type": "AnyConnect",
+      "dap_records": [
+        "dap_1",
+        "dap_2"
+      ],
+      "asa": {
+        "message_id": "734001"
+      }
+    }
+}

x-pack/filebeat/module/cisco/asa/test/dap_records.log

@@ -0,0 +1 @@
+Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2

x-pack/filebeat/module/cisco/ftd/_meta/fields.yml

@@ -90,3 +90,13 @@
     type: object
     description:
       Raw fields for Security Events.
+
+  - name: connection_type
+    type: keyword
+    description: >
+      The VPN connection type
+
+  - name: dap_records
+    type: keyword
+    description: >
+      The assigned DAP records

x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml

@@ -420,6 +420,13 @@ processors:
       if: "ctx._temp_.cisco.message_id == '338301'"
       field: "server.port"
       value: "{{source.port}}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '734001'"
+      field: "message"
+      pattern: "DAP: User %{user.email}, Addr %{source.ip}, Connection %{cisco.connection_type}: The following DAP records were selected for this connection: %{cisco.dap_records->}"
+  - split:
+      field: "cisco.dap_records"
+      separator: ",\\s+"
 
   #
   # Handle 302xxx messages (Flow expiration a.k.a "Teardown")