diff --git a/go.mod b/go.mod index a32cea0cff7..307f6807e16 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.12 require ( github.com/blang/semver v3.5.1+incompatible - github.com/elastic/elastic-package v0.0.0-20201202151510-fe69843289af + github.com/elastic/elastic-package v0.0.0-20201211101121-88f40b569b78 github.com/elastic/package-registry v0.13.0 github.com/magefile/mage v1.10.0 github.com/pkg/errors v0.9.1 diff --git a/go.sum b/go.sum index d5dd0a1abeb..cd5ee8b5636 100644 --- a/go.sum +++ b/go.sum @@ -84,8 +84,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= -github.com/elastic/elastic-package v0.0.0-20201202151510-fe69843289af h1:KgL6xzIw8JfEAv1yguO3nFigtlGVvVSVWzAUQGnDsYY= -github.com/elastic/elastic-package v0.0.0-20201202151510-fe69843289af/go.mod h1:2dVvy0o3MA3QcUIIbIx3fI3+0iZj+GWx+sWamlUPknk= +github.com/elastic/elastic-package v0.0.0-20201211101121-88f40b569b78 h1:O88BTmG/DtGywk6Y965Ay7d51qPMl1cpRa55Ytlnz80= +github.com/elastic/elastic-package v0.0.0-20201211101121-88f40b569b78/go.mod h1:Fvhveu6PsnX82/yGGMoTExmh3B2ecBZ4EIjiR0TSm18= github.com/elastic/go-elasticsearch/v7 v7.9.0 h1:UEau+a1MiiE/F+UrDj60kqIHFWdzU1M2y/YtBU2NC2M= github.com/elastic/go-elasticsearch/v7 v7.9.0/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4= github.com/elastic/go-ucfg v0.8.3/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+FX0JKxzo= @@ -93,8 +93,8 @@ github.com/elastic/go-ucfg v0.8.4-0.20200415140258-1232bd4774a6 h1:Ehbr7du4rSSEy github.com/elastic/go-ucfg v0.8.4-0.20200415140258-1232bd4774a6/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+FX0JKxzo= github.com/elastic/package-registry v0.13.0 h1:RdIzD111v1chu0L3MrbUGqgt6RZ9a9DVN3XMgjgOAu0= github.com/elastic/package-registry v0.13.0/go.mod h1:oQx3Tg9ynuC6APd0o0OHud9kyPX6S6IzdJp/R4Hj1HY= -github.com/elastic/package-spec/code/go v0.0.0-20201202075901-3b4d8207554d h1:9GXCPO5Ahy12Qo+JKvdujuihSyqXyxeBQsxg+c13OaY= -github.com/elastic/package-spec/code/go v0.0.0-20201202075901-3b4d8207554d/go.mod h1:3W6uyBFCE4/NPcVPb+ZuoLJTMLu8BCTc+PRFDutSvfE= +github.com/elastic/package-spec/code/go v0.0.0-20201210164239-22bc835bcf04 h1:DfZR0hCpA1yE/bG9q1FJoeajvbrjWn945bXyavC8knE= +github.com/elastic/package-spec/code/go v0.0.0-20201210164239-22bc835bcf04/go.mod h1:3W6uyBFCE4/NPcVPb+ZuoLJTMLu8BCTc+PRFDutSvfE= github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg= github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log new file mode 100644 index 00000000000..f9ba86b8d0c --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log @@ -0,0 +1,69 @@ +May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500) +May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500) +May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 +May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00 +May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2 +May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1 +May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111) +May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443) +May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67 +May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log +May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4 +May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872. +May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0 +May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10 +May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00 +May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0 +May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 +May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I +May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839) +May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 +May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session +May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006 +May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111 +May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585 +May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638) +May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638) +May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group "out1111_access_out" [0x47e21ef4, 0x47e21ef4] +May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111 +May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111 +May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner +May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow +May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief +May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief +May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000] +May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000] +May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner +May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8) +May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985 +May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout +May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123) +May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0) +May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063 +May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2 +May 5 19:02:25 dev01: %ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet. +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/ +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0] +Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23 +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/ +Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout +Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group "global_access_1" +Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000] +Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK +Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear' +Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15 +Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user "*****" +Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin +Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user "admin" +Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin +Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d +Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested +Apr 27 02:03:03 dev01: %ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 IPv4 Address 8.8.4.4 IPv6 address 2001:4860:4860::8888 assigned to session +Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested. +Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23 diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-config.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-config.json new file mode 100644 index 00000000000..d84f1eae1eb --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-config.json @@ -0,0 +1,10 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + }, + "numeric_keyword_fields": [ + "network.iana_number", + "event.code", + "syslog.facility" + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json new file mode 100644 index 00000000000..f62bdaf377f --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json @@ -0,0 +1,4390 @@ +{ + "expected": [ + { + "observer": { + "ingress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "net" + } + } + }, + "@timestamp": "2020-05-05T17:51:17.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "nat": { + "ip": "8.8.5.4" + }, + "address": "192.168.2.2", + "port": 53500, + "ip": "192.168.2.2" + }, + "source": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "10.10.10.10", + "port": 53500, + "ip": "10.10.10.10" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660240Z", + "code": 302013, + "original": "%FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "fw111", + "mapped_source_port": 53500, + "mapped_destination_ip": "8.8.5.4", + "mapped_source_ip": "8.8.8.8", + "connection_id": "111111111", + "source_interface": "net", + "mapped_destination_port": 53500, + "message_id": "302013" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "inbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "net" + } + } + }, + "@timestamp": "2020-05-05T17:51:17.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "nat": { + "ip": "8.8.5.4" + }, + "address": "192.168.2.2", + "port": 53500, + "ip": "192.168.2.2" + }, + "source": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "10.10.10.10", + "port": 53500, + "ip": "10.10.10.10" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660244Z", + "code": 302015, + "original": "%FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "fw111", + "mapped_source_port": 53500, + "mapped_destination_ip": "8.8.5.4", + "mapped_source_ip": "8.8.8.8", + "connection_id": "111111111", + "source_interface": "net", + "mapped_destination_port": 53500, + "message_id": "302015" + } + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "inbound" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T17:51:17.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2", + "10.10.10.10" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660245Z", + "code": 302020, + "original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "mapped_source_ip": "8.8.8.8", + "message_id": "302020" + } + }, + "network": { + "protocol": "icmp", + "direction": "inbound" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "net" + } + } + }, + "@timestamp": "2020-05-05T17:51:17.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2" + ] + }, + "log": { + "level": "debug" + }, + "host": { + "hostname": "dev01" + }, + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "event": { + "severity": 7, + "duration": 0, + "ingested": "2020-11-30T17:49:39.660246Z", + "code": 609002, + "original": "%FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", + "kind": "event", + "start": "2020-05-05T17:51:17.000Z", + "action": "flow-expiration", + "end": "2020-05-05T17:51:17.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "source_interface": "net", + "message_id": "609002" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "net" + } + } + }, + "@timestamp": "2020-05-05T17:51:17.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2" + ] + }, + "log": { + "level": "debug" + }, + "host": { + "hostname": "dev01" + }, + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "event": { + "severity": 7, + "ingested": "2020-11-30T17:49:39.660246Z", + "code": 609001, + "original": "%FTD-7-609001: Built local-host net:192.168.2.2", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "source_interface": "net", + "message_id": "609001" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T17:51:17.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2", + "10.10.10.10" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660249Z", + "code": 302020, + "original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "mapped_source_ip": "8.8.8.8", + "message_id": "302020" + } + }, + "network": { + "protocol": "icmp", + "direction": "inbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw111" + } + } + }, + "@timestamp": "2020-05-05T17:51:17.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "nat": { + "ip": "8.8.5.4" + }, + "address": "192.168.2.2", + "port": 111, + "ip": "192.168.2.2" + }, + "source": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "10.10.10.10", + "port": 111, + "ip": "10.10.10.10" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660249Z", + "code": 805001, + "original": "%FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "fw111", + "mapped_source_port": 111, + "mapped_destination_ip": "8.8.5.4", + "mapped_source_ip": "8.8.8.8", + "connection_id": "111111111", + "source_interface": "fw111", + "mapped_destination_port": 111, + "message_id": "805001" + } + }, + "network": { + "transport": "tcp flow" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "fw109" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "net" + } + } + }, + "@timestamp": "2020-05-05T17:51:17.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.192.18.4", + "10.192.70.66" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 443, + "address": "10.192.70.66", + "ip": "10.192.70.66" + }, + "source": { + "port": 51261, + "address": "10.192.18.4", + "ip": "10.192.18.4" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660250Z", + "code": 805002, + "original": "%FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "fw109", + "mapped_source_port": 51261, + "mapped_destination_ip": "10.192.70.66", + "mapped_source_ip": "10.192.18.4", + "connection_id": "941243214", + "source_interface": "net", + "mapped_destination_port": 443, + "message_id": "805002" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T17:51:17.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2", + "10.10.10.10" + ] + }, + "log": { + "level": "debug" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 67, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "port": 68, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "event": { + "severity": 7, + "ingested": "2020-11-30T17:49:39.660251Z", + "code": 710005, + "original": "%FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "fw111", + "message_id": "710005" + } + }, + "network": { + "iana_number": 17, + "transport": "udp" + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "port": 21, + "address": "10.192.18.4", + "ip": "10.192.18.4" + }, + "source": { + "port": 63656, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "network": { + "protocol": "ftp" + }, + "observer": { + "ingress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "net" + } + } + }, + "@timestamp": "2020-05-05T17:51:17.000Z", + "file": { + "path": "/export/home/sysm/ftproot/sdsdsds/tmp.log" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2", + "10.192.18.4" + ] + }, + "host": { + "hostname": "dev01" + }, + "client": { + "user": { + "name": "testuser" + } + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660252Z", + "code": 303002, + "original": "%FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "fw111", + "source_interface": "net", + "message_id": "303002" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T17:51:17.000Z", + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "debug" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 7, + "ingested": "2020-11-30T17:49:39.660253Z", + "code": 710006, + "original": "%FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "710006" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw111" + } + } + }, + "@timestamp": "2020-05-05T17:51:17.000Z", + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:39.660253Z", + "code": 313005, + "original": "%FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872.", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "source_interface": "fw111", + "message_id": "313005" + } + }, + "network": { + "iana_number": 1, + "transport": "icmp" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T18:16:21.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660254Z", + "code": 302021, + "original": "%ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "mapped_source_ip": "8.8.8.8", + "source_username": "type", + "message_id": "302021" + } + }, + "network": { + "iana_number": 1, + "transport": "icmp" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "net" + } + } + }, + "@timestamp": "2020-05-05T18:22:35.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10" + ] + }, + "log": { + "level": "debug" + }, + "host": { + "hostname": "dev01" + }, + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "event": { + "severity": 7, + "ingested": "2020-11-30T17:49:39.660255Z", + "code": 609001, + "original": "%ASA-7-609001: Built local-host net:10.10.10.10", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "source_interface": "net", + "message_id": "609001" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "identity" + } + } + }, + "@timestamp": "2020-05-05T18:24:31.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10" + ] + }, + "log": { + "level": "debug" + }, + "host": { + "hostname": "dev01" + }, + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "event": { + "severity": 7, + "duration": 0, + "ingested": "2020-11-30T17:49:39.660256Z", + "code": 609002, + "original": "%ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", + "kind": "event", + "start": "2020-05-05T18:24:31.000Z", + "action": "flow-expiration", + "end": "2020-05-05T18:24:31.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "source_interface": "identity", + "message_id": "609002" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T18:29:32.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.192.46.90", + "10.10.10.10" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "10.192.46.90", + "ip": "10.192.46.90" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660257Z", + "code": 302020, + "original": "%ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "mapped_source_ip": "8.8.8.8", + "message_id": "302020" + } + }, + "network": { + "protocol": "icmp", + "direction": "inbound" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T18:29:32.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2", + "10.10.10.10" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660257Z", + "code": 302020, + "original": "%ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "mapped_source_ip": "8.8.8.8", + "message_id": "302020" + } + }, + "network": { + "protocol": "icmp", + "direction": "outbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "out111" + } + } + }, + "@timestamp": "2020-05-05T18:29:32.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 55225, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "port": 443, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:39.660258Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", + "kind": "event", + "start": "2020-05-05T18:29:32.000Z", + "action": "flow-expiration", + "end": "2020-05-05T18:29:32.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "fw111", + "message_id": "302014", + "connection_id": "2960892904", + "source_interface": "out111" + } + }, + "network": { + "bytes": 0, + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "intfacename" + } + } + }, + "@timestamp": "2020-05-05T18:29:32.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2", + "10.10.10.10" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "10.10.10.10", + "port": 54839, + "ip": "10.10.10.10" + }, + "source": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "192.168.2.2", + "port": 80, + "ip": "192.168.2.2" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660259Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "net", + "mapped_source_port": 80, + "mapped_destination_ip": "8.8.8.8", + "mapped_source_ip": "8.8.8.8", + "connection_id": "1588662", + "source_interface": "intfacename", + "mapped_destination_port": 54839, + "message_id": "302013" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "out111" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw111" + } + } + }, + "@timestamp": "2020-05-05T18:29:32.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 54230, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "port": 54230, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:39.660260Z", + "code": 302012, + "original": "%ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", + "kind": "event", + "start": "2020-05-05T18:29:32.000Z", + "action": "flow-expiration", + "end": "2020-05-05T18:29:32.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "out111", + "source_interface": "fw111", + "message_id": "302012" + } + }, + "network": { + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw502" + } + } + }, + "@timestamp": "2020-05-05T18:40:50.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:39.660260Z", + "code": 313004, + "original": "%ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "icmp_type": 0, + "source_interface": "fw502", + "message_id": "313004" + } + }, + "network": { + "iana_number": 1, + "transport": "icmp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "out111" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw111" + } + } + }, + "@timestamp": "2020-05-05T18:40:50.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 57006, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "port": 57006, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660261Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "out111", + "source_interface": "fw111", + "message_id": "305011" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "out111" + } + } + }, + "@timestamp": "2020-05-05T18:40:50.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2", + "10.10.10.10" + ] + }, + "log": { + "level": "critical" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 14322, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "port": 43803, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:39.660262Z", + "code": 106001, + "original": "%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_interface": "out111", + "message_id": "106001" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "inbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "intfacename" + } + } + }, + "@timestamp": "2020-05-05T18:40:50.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.186.2.2" + ] + }, + "log": { + "level": "critical" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-CA", + "city_name": "Thousand Oaks", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "California", + "location": { + "lon": -118.8199, + "lat": 34.197 + } + }, + "as": { + "number": 395776, + "organization": { + "name": "FEDERAL ONLINE GROUP LLC" + } + }, + "address": "192.186.2.2", + "port": 53356, + "ip": "192.186.2.2" + }, + "source": { + "port": 161, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "event": { + "severity": 2, + "duration": 124000000000, + "ingested": "2020-11-30T17:49:39.660263Z", + "code": 302016, + "original": "%ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585", + "kind": "event", + "start": "2020-05-05T18:38:46.000Z", + "action": "flow-expiration", + "end": "2020-05-05T18:40:50.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "net", + "message_id": "302016", + "connection_id": "1671727", + "source_interface": "intfacename" + } + }, + "network": { + "bytes": 64585, + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "intfacename" + } + } + }, + "@timestamp": "2020-05-05T18:40:50.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "critical" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "192.168.2.2", + "port": 22638, + "ip": "192.168.2.2" + }, + "source": { + "nat": { + "ip": "8.8.8.4" + }, + "address": "10.10.10.10", + "port": 161, + "ip": "10.10.10.10" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:39.660264Z", + "code": 302015, + "original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "net", + "mapped_source_port": 161, + "mapped_destination_ip": "8.8.8.8", + "mapped_source_ip": "8.8.8.4", + "connection_id": "1743372", + "source_interface": "intfacename", + "mapped_destination_port": 22638, + "message_id": "302015" + } + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "intfacename" + } + } + }, + "@timestamp": "2020-05-05T18:40:50.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "critical" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "192.168.2.2", + "port": 22638, + "ip": "192.168.2.2" + }, + "source": { + "nat": { + "ip": "8.8.8.4" + }, + "address": "10.10.10.10", + "port": 161, + "ip": "10.10.10.10" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:39.660264Z", + "code": 302015, + "original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "net", + "mapped_source_port": 161, + "mapped_destination_ip": "8.8.8.8", + "mapped_source_ip": "8.8.8.4", + "connection_id": "1743372", + "source_interface": "intfacename", + "mapped_destination_port": 22638, + "message_id": "302015" + } + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "out111" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw111" + } + } + }, + "@timestamp": "2020-05-05T18:40:50.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 443, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "port": 64388, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:39.660265Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "out111", + "message_id": "106023", + "rule_name": "out1111_access_out", + "source_interface": "fw111" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw111" + } + } + }, + "@timestamp": "2020-05-05T18:40:50.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2", + "10.10.10.10" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:39.660266Z", + "code": 106021, + "original": "%ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_interface": "fw111", + "message_id": "106021" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw111" + } + } + }, + "@timestamp": "2020-05-05T19:02:58.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2", + "10.10.10.10" + ] + }, + "log": { + "level": "critical" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 65020, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "port": 65020, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:39.660267Z", + "code": 106006, + "original": "%ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_interface": "fw111", + "message_id": "106006" + } + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "inbound" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "out111" + } + } + }, + "@timestamp": "2020-05-05T19:02:58.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2", + "10.10.10.10" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 443, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "port": 53089, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660267Z", + "code": 106015, + "original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ], + "outcome": "tcp" + }, + "cisco": { + "asa": { + "source_interface": "out111", + "message_id": "106015" + } + }, + "network": { + "transport": "(no" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "out111" + } + } + }, + "@timestamp": "2020-05-05T19:02:58.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2", + "10.10.10.10" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 443, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "port": 17127, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660268Z", + "code": 106015, + "original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ], + "outcome": "tcp" + }, + "cisco": { + "asa": { + "source_interface": "out111", + "message_id": "106015" + } + }, + "network": { + "transport": "(no" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw111" + } + } + }, + "@timestamp": "2020-05-05T19:02:58.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2", + "10.10.10.10" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 443, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "port": 24223, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660269Z", + "code": 106015, + "original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ], + "outcome": "tcp" + }, + "cisco": { + "asa": { + "source_interface": "fw111", + "message_id": "106015" + } + }, + "network": { + "transport": "(no" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw1111" + } + } + }, + "@timestamp": "2020-05-05T19:02:58.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "192.168.2.2", + "port": 10051, + "ip": "192.168.2.2" + }, + "source": { + "nat": { + "ip": "8.8.8.5" + }, + "address": "10.10.10.10", + "port": 38540, + "ip": "10.10.10.10" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660270Z", + "code": 302022, + "original": "%ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "net", + "mapped_source_port": 38540, + "mapped_destination_ip": "8.8.8.8", + "mapped_source_ip": "8.8.8.5", + "source_interface": "fw1111", + "mapped_destination_port": 10051, + "message_id": "302022" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw111" + } + } + }, + "@timestamp": "2020-05-05T19:02:58.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "192.168.2.2", + "port": 10051, + "ip": "192.168.2.2" + }, + "source": { + "nat": { + "ip": "8.8.8.5" + }, + "address": "10.10.10.10", + "port": 38540, + "ip": "10.10.10.10" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660270Z", + "code": 302022, + "original": "%ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "net", + "mapped_source_port": 38540, + "mapped_destination_ip": "8.8.8.8", + "mapped_source_ip": "8.8.8.5", + "source_interface": "fw111", + "mapped_destination_port": 10051, + "message_id": "302022" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw111" + } + } + }, + "@timestamp": "2020-05-05T19:02:58.000Z", + "related": { + "hosts": [ + "dev01", + "192.1682.2.2" + ], + "ip": [ + "10.10.10.10" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "nat": { + "ip": "8.8.8.8" + }, + "address": "192.1682.2.2", + "port": 10051, + "domain": "192.1682.2.2" + }, + "source": { + "nat": { + "ip": "8.8.8.5" + }, + "address": "10.10.10.10", + "port": 38540, + "ip": "10.10.10.10" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660271Z", + "code": 302022, + "original": "%ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "net", + "mapped_source_port": 38540, + "mapped_destination_ip": "8.8.8.8", + "mapped_source_ip": "8.8.8.5", + "source_interface": "fw111", + "mapped_destination_port": 10051, + "message_id": "302022" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T19:02:58.000Z", + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660272Z", + "code": 302023, + "original": "%ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "302023" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T19:02:58.000Z", + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660273Z", + "code": 302023, + "original": "%ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "302023" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T19:03:27.000Z", + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "debug" + }, + "host": { + "user": { + "name": "aaaa" + }, + "hostname": "dev01" + }, + "event": { + "severity": 7, + "ingested": "2020-11-30T17:49:39.660274Z", + "code": 111009, + "original": "%ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "111009", + "command_line_arguments": "show access-list fw211111_access_out brief" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T19:02:26.000Z", + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "debug" + }, + "host": { + "user": { + "name": "aaaa" + }, + "hostname": "dev01" + }, + "event": { + "severity": 7, + "ingested": "2020-11-30T17:49:39.660274Z", + "code": 111009, + "original": "%ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "111009", + "command_line_arguments": "show access-list aaa_out brief" + } + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "ptaaac" + } + } + }, + "@timestamp": "2020-05-05T19:02:26.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2", + "10.10.10.10" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 3452, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "port": 62157, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660275Z", + "code": 106100, + "original": "%ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -\u003e fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "fw111", + "message_id": "106100", + "rule_name": "fw111_out", + "source_interface": "ptaaac" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "net" + } + } + }, + "@timestamp": "2020-05-05T19:02:26.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "192.168.2.2", + "10.10.10.10" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 6007, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "port": 49033, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660276Z", + "code": 106100, + "original": "%ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -\u003e fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "fw111", + "message_id": "106100", + "rule_name": "fw111_out", + "source_interface": "net" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T19:02:26.000Z", + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660277Z", + "code": 302027, + "original": "%ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "302027" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T19:02:26.000Z", + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660277Z", + "code": 302026, + "original": "%ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "302026" + } + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "net" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T19:02:26.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "debug" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 1985, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "port": 1985, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "event": { + "severity": 7, + "ingested": "2020-11-30T17:49:39.660278Z", + "code": 710005, + "original": "%ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "net", + "message_id": "710005" + } + }, + "network": { + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T19:02:26.000Z", + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660279Z", + "code": 302025, + "original": "%ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "302025" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T19:02:26.000Z", + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660280Z", + "code": 302024, + "original": "%ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "302024" + } + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw111" + } + } + }, + "@timestamp": "2020-05-05T19:02:26.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "10.10.10.10" + ] + }, + "log": { + "level": "error" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "address": "10.10.10.10(type", + "ip": "10.10.10.10" + }, + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "event": { + "severity": 3, + "ingested": "2020-11-30T17:49:39.660280Z", + "code": 106014, + "original": "%ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "fw111", + "source_interface": "fw111", + "message_id": "106014" + } + }, + "network": { + "iana_number": 1, + "transport": "icmp", + "direction": "inbound" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-05-05T19:02:25.000Z", + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:39.660281Z", + "code": 733100, + "original": "%ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "733100", + "burst": { + "configured_avg_rate": "-4", + "cumulative_count": "9063", + "configured_rate": "-4", + "avg_rate": "7", + "current_rate": "0", + "id": "rate-1", + "object": "192.168.2.2" + } + } + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "fw111" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw111" + } + } + }, + "@timestamp": "2020-05-05T19:02:25.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "10.10.10.10" + ] + }, + "log": { + "level": "error" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 2, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "port": 5114, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "event": { + "severity": 3, + "ingested": "2020-11-30T17:49:39.660282Z", + "code": 106010, + "original": "%ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "fw111", + "source_interface": "fw111", + "message_id": "106010" + } + }, + "network": { + "transport": "sctp", + "direction": "inbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "out111" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "fw111" + } + } + }, + "@timestamp": "2020-05-05T19:02:25.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.10", + "192.168.2.2" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 80, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "port": 49574, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:39.660283Z", + "code": 507003, + "original": "%ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet.", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "out111", + "source_interface": "fw111", + "message_id": "507003" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T04:18:49.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.20.30.40", + "10.20.30.40" + ] + }, + "log": { + "level": "notification" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "source": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:39.660284Z", + "code": 304001, + "original": "%ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "message_id": "304001" + } + }, + "url": { + "original": "http://10.20.30.40/" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T04:18:49.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.20.30.40", + "10.20.30.40" + ] + }, + "log": { + "level": "notification" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "source": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:39.660284Z", + "code": 304001, + "original": "%ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "message_id": "304001" + } + }, + "url": { + "original": "http://10.20.30.40/IOFUHSIU98[0]" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T17:54:52.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.20.30.40", + "10.20.30.40" + ] + }, + "log": { + "level": "notification" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "source": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:39.660285Z", + "code": 304001, + "original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "message_id": "304001" + } + }, + "url": { + "original": "http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T04:18:49.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.20.30.40", + "10.20.30.40" + ] + }, + "log": { + "level": "notification" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "source": { + "address": "10.20.30.40", + "ip": "10.20.30.40" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:39.660286Z", + "code": 304001, + "original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "message_id": "304001" + } + }, + "url": { + "original": "http://10.20.30.40/" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "server.deflan" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "server.deflan" + } + } + }, + "@timestamp": "2020-04-27T04:12:23.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "1.2.3.4", + "2.3.4.5" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "FR-63", + "city_name": "Clermont-Ferrand", + "country_iso_code": "FR", + "country_name": "France", + "region_name": "Puy-de-Dôme", + "location": { + "lon": 3.0966, + "lat": 45.7838 + } + }, + "as": { + "number": 3215, + "organization": { + "name": "Orange" + } + }, + "address": "2.3.4.5", + "port": 9101, + "ip": "2.3.4.5" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "RU-MOW", + "city_name": "Moscow", + "country_iso_code": "RU", + "country_name": "Russia", + "region_name": "Moscow", + "location": { + "lon": 37.6172, + "lat": 55.7527 + } + }, + "address": "1.2.3.4", + "port": 54242, + "ip": "1.2.3.4" + }, + "event": { + "severity": 6, + "duration": 3602000000000, + "ingested": "2020-11-30T17:49:39.660287Z", + "code": 302304, + "original": "%ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout", + "kind": "event", + "start": "2020-04-27T03:12:21.000Z", + "action": "flow-expiration", + "end": "2020-04-27T04:12:23.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "server.deflan", + "message_id": "302304", + "connection_id": "2751765169", + "source_interface": "server.deflan" + } + }, + "network": { + "bytes": 245, + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "srv" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2020-04-27T02:02:02.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.10.2", + "192.168.2.2" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "port": 51635, + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "source": { + "port": 56444, + "address": "10.10.10.2", + "ip": "10.10.10.2" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:39.660288Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "srv", + "message_id": "106023", + "rule_name": "global_access_1", + "source_interface": "outside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "insideintf" + } + } + }, + "@timestamp": "2019-10-20T15:15:15.000Z", + "related": { + "hosts": [ + "dev01", + "somedomainname.local" + ], + "ip": [ + "195.122.12.242" + ] + }, + "log": { + "level": "notification" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "LV-RIX", + "city_name": "Riga", + "country_iso_code": "LV", + "country_name": "Latvia", + "region_name": "Riga", + "location": { + "lon": 24.0978, + "lat": 56.9496 + } + }, + "as": { + "number": 12578, + "organization": { + "name": "SIA Tet" + } + }, + "address": "195.122.12.242", + "port": 53, + "ip": "195.122.12.242" + }, + "source": { + "port": 27218, + "address": "somedomainname.local", + "domain": "somedomainname.local" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:39.660288Z", + "code": 106100, + "original": "%ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -\u003e OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "OUTSIDE", + "message_id": "106100", + "rule_name": "testrulename", + "source_interface": "insideintf" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "related": { + "hosts": [ + "dev01", + "console" + ] + }, + "log": { + "level": "notification" + }, + "host": { + "hostname": "dev01" + }, + "source": { + "address": "console", + "domain": "console" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:39.660289Z", + "code": 111004, + "original": "%ASA-5-111004: console end configuration: OK", + "kind": "event", + "action": "firewall-rule", + "type": [ + "info" + ], + "category": [ + "network" + ], + "outcome": "success" + }, + "cisco": { + "asa": { + "message_id": "111004" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.0.87" + ] + }, + "log": { + "level": "notification" + }, + "host": { + "user": { + "name": "enable_15" + }, + "hostname": "dev01" + }, + "source": { + "address": "10.10.0.87", + "ip": "10.10.0.87" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:39.660290Z", + "code": 111010, + "original": "%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear'", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "111010", + "command_line_arguments": "'clear'" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "notification" + }, + "host": { + "user": { + "name": "enable_15" + }, + "hostname": "dev01" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:39.660291Z", + "code": 502103, + "original": "%ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15", + "kind": "event", + "action": "firewall-rule", + "type": [ + "info" + ], + "category": [ + "network" + ] + }, + "cisco": { + "asa": { + "message_id": "502103", + "privilege": { + "new": "15", + "old": "1" + } + } + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "FCD-FS-LAN" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.1.212", + "10.10.1.254" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "address": "10.10.1.254", + "ip": "10.10.1.254" + }, + "source": { + "address": "10.10.1.212", + "port": 51923, + "user": { + "name": "*****" + }, + "ip": "10.10.1.212" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660291Z", + "code": 605004, + "original": "%ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "FCD-FS-LAN", + "message_id": "605004" + } + }, + "network": { + "protocol": "https" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.0.87" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "user": { + "name": "admin" + }, + "hostname": "dev01" + }, + "source": { + "address": "10.10.0.87", + "ip": "10.10.0.87" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660292Z", + "code": 611102, + "original": "%ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ], + "outcome": "failed" + }, + "cisco": { + "asa": { + "message_id": "611102" + } + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "FCD-FS-LAN" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.0.87", + "10.10.1.254" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "address": "10.10.1.254", + "ip": "10.10.1.254" + }, + "source": { + "address": "10.10.0.87", + "port": 6651, + "user": { + "name": "admin" + }, + "ip": "10.10.0.87" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660293Z", + "code": 605005, + "original": "%ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "FCD-FS-LAN", + "message_id": "605005" + } + }, + "network": { + "protocol": "ssh" + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "10.10.0.87" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "user": { + "name": "admin" + }, + "hostname": "dev01" + }, + "source": { + "address": "10.10.0.87", + "ip": "10.10.0.87" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660294Z", + "code": 611101, + "original": "%ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ], + "outcome": "succeeded" + }, + "cisco": { + "asa": { + "message_id": "611101" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "91.240.17.178" + ] + }, + "log": { + "level": "notification" + }, + "host": { + "hostname": "dev01" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0247, + "lat": 51.5888 + } + }, + "as": { + "number": 201126, + "organization": { + "name": "CDW Ltd" + } + }, + "address": "91.240.17.178", + "ip": "91.240.17.178" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:39.660294Z", + "code": 713049, + "original": "%ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "713049" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "91.240.17.178" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0247, + "lat": 51.5888 + } + }, + "as": { + "number": 201126, + "organization": { + "name": "CDW Ltd" + } + }, + "address": "91.240.17.178", + "bytes": 1216163, + "ip": "91.240.17.178" + }, + "source": { + "user": { + "name": "91.240.17.178" + }, + "bytes": 297103 + }, + "event": { + "severity": 4, + "duration": 0, + "ingested": "2020-11-30T17:49:39.660295Z", + "code": 113019, + "original": "%ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", + "kind": "event", + "start": "2020-04-27T02:03:03.000Z", + "action": "firewall-rule", + "end": "2020-04-27T02:03:03.000Z", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "113019" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "8.8.8.8" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "address": "8.8.8.8", + "user": { + "name": "testuser" + }, + "ip": "8.8.8.8" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:39.660296Z", + "code": 722051, + "original": "%ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 IPv4 Address 8.8.4.4 IPv6 address 2001:4860:4860::8888 assigned to session", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "722051", + "assigned_ip": "8.8.4.4" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "8.8.8.8" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "dev01" + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "address": "8.8.8.8", + "user": { + "name": "testuser" + }, + "ip": "8.8.8.8" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:39.660297Z", + "code": 716002, + "original": "%ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "716002" + } + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "104.46.88.19", + "195.74.114.34" + ] + }, + "log": { + "level": "error" + }, + "host": { + "hostname": "dev01" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-HCK", + "city_name": "Stoke Newington", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Hackney", + "location": { + "lon": -0.0765, + "lat": 51.5638 + } + }, + "as": { + "number": 8468, + "organization": { + "name": "Entanet" + } + }, + "address": "195.74.114.34", + "port": 23, + "ip": "195.74.114.34" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "IE-L", + "city_name": "Dublin", + "country_iso_code": "IE", + "country_name": "Ireland", + "region_name": "Leinster", + "location": { + "lon": -6.2488, + "lat": 53.3338 + } + }, + "as": { + "number": 8075, + "organization": { + "name": "Microsoft Corporation" + } + }, + "address": "104.46.88.19", + "port": 6370, + "ip": "104.46.88.19" + }, + "event": { + "severity": 3, + "ingested": "2020-11-30T17:49:39.660297Z", + "code": 710003, + "original": "%ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "710003" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + } + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log new file mode 100644 index 00000000000..80efe8a5553 --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log @@ -0,0 +1,11 @@ +Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz) +Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group "Inside_access_in" [0x0, 0x0] +Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group "acl_dmz" [0xe3afb522, 0x0] +Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\Elastic) dst Outside:10.123.123.123/57621 by access-group "Inside_access_in" [0x0, 0x0] +Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123 +Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1 +Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8 +Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f] +Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f] +Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -> inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3] +Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3] diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-config.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-config.json new file mode 100644 index 00000000000..d84f1eae1eb --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-config.json @@ -0,0 +1,10 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + }, + "numeric_keyword_fields": [ + "network.iana_number", + "event.code", + "syslog.facility" + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json new file mode 100644 index 00000000000..931e5888a5e --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -0,0 +1,754 @@ +{ + "expected": [ + { + "observer": { + "ingress": { + "interface": { + "name": "Inside" + } + }, + "hostname": "SNL-ASA-VPN-A01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "Outside" + } + } + }, + "@timestamp": "2020-04-17T14:08:08.000Z", + "related": { + "hosts": [ + "SNL-ASA-VPN-A01" + ], + "ip": [ + "10.123.123.123", + "10.233.123.123" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "SNL-ASA-VPN-A01" + }, + "destination": { + "port": 53, + "address": "10.233.123.123", + "ip": "10.233.123.123" + }, + "source": { + "port": 53723, + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.632937Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", + "kind": "event", + "start": "2020-04-17T14:08:08.000Z", + "action": "flow-expiration", + "end": "2020-04-17T14:08:08.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "source_username": "(LOCAL\\Elastic)", + "destination_interface": "Inside", + "message_id": "302016", + "connection_id": "110577675", + "source_interface": "Outside" + } + }, + "network": { + "bytes": 148, + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "Outside" + } + }, + "hostname": "SNL-ASA-VPN-A01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "Inside" + } + } + }, + "@timestamp": "2020-04-17T14:00:31.000Z", + "related": { + "hosts": [ + "SNL-ASA-VPN-A01" + ], + "ip": [ + "10.123.123.123", + "10.123.123.123" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "SNL-ASA-VPN-A01" + }, + "destination": { + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "source": { + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.632939Z", + "code": 106023, + "original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "Outside", + "message_id": "106023", + "rule_name": "Inside_access_in", + "source_interface": "Inside" + } + }, + "network": { + "iana_number": 1, + "transport": "icmp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "dmz" + } + } + }, + "@timestamp": "2013-04-15T09:36:50.000Z", + "related": { + "ip": [ + "10.123.123.123", + "10.123.123.123" + ] + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 53, + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "source": { + "port": 6316, + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.632940Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106023", + "rule_name": "acl_dmz", + "source_interface": "dmz" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "Outside" + } + }, + "hostname": "SNL-ASA-VPN-A01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "Inside" + } + } + }, + "@timestamp": "2020-04-17T14:16:20.000Z", + "related": { + "hosts": [ + "SNL-ASA-VPN-A01" + ], + "ip": [ + "10.123.123.123", + "10.123.123.123" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "SNL-ASA-VPN-A01" + }, + "destination": { + "port": 57621, + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "source": { + "port": 57621, + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.632941Z", + "code": 106023, + "original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_username": "(LOCAL\\Elastic)", + "destination_interface": "Outside", + "message_id": "106023", + "rule_name": "Inside_access_in", + "source_interface": "Inside" + } + }, + "network": { + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "hostname": "SNL-ASA-VPN-A01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-04-17T14:15:07.000Z", + "related": { + "hosts": [ + "SNL-ASA-VPN-A01" + ], + "ip": [ + "10.123.123.123", + "10.123.123.123" + ] + }, + "log": { + "level": "critical" + }, + "host": { + "hostname": "SNL-ASA-VPN-A01" + }, + "destination": { + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "source": { + "address": "10.123.123.123", + "ip": "10.123.123.123" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:41.632942Z", + "code": 106017, + "original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "message_id": "106017" + } + } + }, + { + "observer": { + "hostname": "SNL-ASA-VPN-A01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "ISP1" + } + } + }, + "@timestamp": "2020-04-17T14:15:07.000Z", + "related": { + "hosts": [ + "SNL-ASA-VPN-A01" + ], + "ip": [ + "fe80::1ff:fe23:4567:890a" + ] + }, + "log": { + "level": "error" + }, + "host": { + "hostname": "SNL-ASA-VPN-A01" + }, + "source": { + "address": "fe80::1ff:fe23:4567:890a", + "ip": "fe80::1ff:fe23:4567:890a" + }, + "event": { + "severity": 3, + "ingested": "2020-11-30T17:49:41.632943Z", + "code": 313008, + "original": "%ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "icmp_type": 134, + "message_id": "313008", + "icmp_code": 0, + "source_interface": "ISP1" + } + }, + "network": { + "iana_number": 58, + "transport": "ipv6-icmp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "identity" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "Inside" + } + } + }, + "@timestamp": "2020-06-08T12:59:57.000Z", + "related": { + "ip": [ + "10.255.0.206", + "10.12.31.51" + ] + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 0, + "address": "10.12.31.51", + "ip": "10.12.31.51" + }, + "source": { + "port": 8795, + "address": "10.255.0.206", + "ip": "10.255.0.206" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.632943Z", + "code": 313009, + "original": "%ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "identity", + "mapped_source_port": 8795, + "mapped_destination_ip": "10.12.31.51", + "mapped_source_ip": "10.255.0.206", + "source_interface": "Inside", + "mapped_destination_port": 0, + "message_id": "313009", + "icmp_code": 9 + } + }, + "network": { + "iana_number": 1, + "transport": "icmp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "dmz2" + } + } + }, + "@timestamp": "2019-10-20T15:42:53.000Z", + "related": { + "ip": [ + "127.2.3.4", + "127.3.4.5" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 53, + "address": "127.3.4.5", + "ip": "127.3.4.5" + }, + "source": { + "port": 56575, + "address": "127.2.3.4", + "ip": "127.2.3.4" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.632944Z", + "code": 106100, + "original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106100", + "rule_name": "incoming", + "source_interface": "dmz2" + } + }, + "network": { + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "dmz2" + } + } + }, + "@timestamp": "2019-10-20T15:42:54.000Z", + "related": { + "ip": [ + "127.2.3.4", + "127.3.4.5" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 53, + "address": "127.3.4.5", + "ip": "127.3.4.5" + }, + "source": { + "port": 56575, + "address": "127.2.3.4", + "ip": "127.2.3.4" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.632945Z", + "code": 106100, + "original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106100", + "rule_name": "incoming", + "source_interface": "dmz2" + } + }, + "network": { + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2020-08-06T11:01:37.000Z", + "related": { + "user": [ + "redacted" + ], + "ip": [ + "10.123.123.20", + "10.223.223.40" + ] + }, + "log": { + "level": "error" + }, + "destination": { + "port": 53, + "address": "10.223.223.40", + "ip": "10.223.223.40" + }, + "source": { + "port": 49721, + "address": "10.123.123.20", + "ip": "10.123.123.20" + }, + "event": { + "severity": 3, + "ingested": "2020-11-30T17:49:41.632946Z", + "code": 106102, + "original": "%ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -\u003e inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "user": { + "name": "redacted" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106102", + "suffix": "session", + "rule_name": "dev_inward_client", + "source_interface": "outside" + } + }, + "network": { + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2020-08-06T11:01:38.000Z", + "related": { + "user": [ + "joe" + ], + "ip": [ + "10.1.2.3", + "1.2.33.40" + ] + }, + "log": { + "level": "alert" + }, + "destination": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-GD", + "country_name": "China", + "region_name": "Guangdong", + "location": { + "lon": 113.25, + "lat": 23.1167 + }, + "country_iso_code": "CN" + }, + "address": "1.2.33.40", + "port": 8080, + "ip": "1.2.33.40" + }, + "source": { + "port": 64321, + "address": "10.1.2.3", + "ip": "10.1.2.3" + }, + "event": { + "severity": 1, + "ingested": "2020-11-30T17:49:41.632947Z", + "code": 106103, + "original": "%ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -\u003e outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "user": { + "name": "joe" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106103", + "rule_name": "filter", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 1, + "transport": "icmp" + } + } + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log new file mode 100644 index 00000000000..9f0a0b8b598 --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log @@ -0,0 +1,268 @@ +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-config.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-config.json new file mode 100644 index 00000000000..d84f1eae1eb --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-config.json @@ -0,0 +1,10 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + }, + "numeric_keyword_fields": [ + "network.iana_number", + "event.code", + "syslog.facility" + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json new file mode 100644 index 00000000000..383be8f7a93 --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json @@ -0,0 +1,19583 @@ +{ + "expected": [ + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8256, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1772, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981839Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1772, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.205.104", + "ip": "100.66.205.104" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.205.104", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981841Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.205.104", + "connection_id": "11757", + "source_interface": "outside", + "mapped_destination_port": 1772, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1758, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.211.242", + "ip": "100.66.211.242" + }, + "network": { + "bytes": 38110, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.211.242", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 67000000000, + "ingested": "2020-11-30T17:49:41.981842Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:49.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11749", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1757, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.211.242", + "ip": "100.66.211.242" + }, + "network": { + "bytes": 44010, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.211.242", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 67000000000, + "ingested": "2020-11-30T17:49:41.981843Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:49.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11748", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1755, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.185.90", + "ip": "100.66.185.90" + }, + "network": { + "bytes": 7652, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.185.90", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 67000000000, + "ingested": "2020-11-30T17:49:41.981844Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:49.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11745", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1754, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.185.90", + "ip": "100.66.185.90" + }, + "network": { + "bytes": 7062, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.185.90", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 67000000000, + "ingested": "2020-11-30T17:49:41.981845Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:49.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11744", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1752, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.160.197", + "ip": "100.66.160.197" + }, + "network": { + "bytes": 5738, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.160.197", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 68000000000, + "ingested": "2020-11-30T17:49:41.981846Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:48.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11742", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1749, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.205.14", + "ip": "100.66.205.14" + }, + "network": { + "bytes": 4176, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.205.14", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 68000000000, + "ingested": "2020-11-30T17:49:41.981846Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:48.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11738", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1750, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.33", + "ip": "100.66.124.33" + }, + "network": { + "bytes": 1715, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.33", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 68000000000, + "ingested": "2020-11-30T17:49:41.981847Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:48.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11739", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1747, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.35.9", + "ip": "100.66.35.9" + }, + "network": { + "bytes": 45595, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.35.9", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 69000000000, + "ingested": "2020-11-30T17:49:41.981848Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:47.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11731", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1742, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.211.242", + "ip": "100.66.211.242" + }, + "network": { + "bytes": 27359, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.211.242", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 69000000000, + "ingested": "2020-11-30T17:49:41.981849Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:47.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11723", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1741, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.218.21", + "ip": "100.66.218.21" + }, + "network": { + "bytes": 4457, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.218.21", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 69000000000, + "ingested": "2020-11-30T17:49:41.981850Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:47.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11715", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1739, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.198.27", + "ip": "100.66.198.27" + }, + "network": { + "bytes": 26709, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.198.27", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 69000000000, + "ingested": "2020-11-30T17:49:41.981851Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:47.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11711", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1740, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.198.27", + "ip": "100.66.198.27" + }, + "network": { + "bytes": 22097, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.198.27", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 69000000000, + "ingested": "2020-11-30T17:49:41.981852Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:47.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11712", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1738, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.202.211", + "ip": "100.66.202.211" + }, + "network": { + "bytes": 2209, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.202.211", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 70000000000, + "ingested": "2020-11-30T17:49:41.981852Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:46.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11708", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1756, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.15", + "ip": "100.66.124.15" + }, + "network": { + "bytes": 10404, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.15", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 67000000000, + "ingested": "2020-11-30T17:49:41.981853Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:49.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11746", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1737, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.15", + "ip": "100.66.124.15" + }, + "network": { + "bytes": 123694, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.15", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 70000000000, + "ingested": "2020-11-30T17:49:41.981854Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:46.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11706", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1736, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.209.247", + "ip": "100.66.209.247" + }, + "network": { + "bytes": 35835, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.209.247", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 71000000000, + "ingested": "2020-11-30T17:49:41.981855Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:33:45.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11702", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1765, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.35.162", + "ip": "100.66.35.162" + }, + "network": { + "bytes": 0, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.35.162", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 30000000000, + "ingested": "2020-11-30T17:49:41.981856Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", + "kind": "event", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11753", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1188, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981857Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.80.32", + "ip": "100.66.80.32" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.80.32", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981858Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.80.32", + "connection_id": "11758", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.80.32", + "ip": "100.66.80.32" + }, + "network": { + "bytes": 148, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.80.32", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981858Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11758", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.252.6", + "ip": "100.66.252.6" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.252.6", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981859Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.252.6", + "connection_id": "11759", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.252.6", + "ip": "100.66.252.6" + }, + "network": { + "bytes": 164, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.252.6", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981860Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11759", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8257, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1773, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981861Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1773, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.252.226", + "ip": "100.66.252.226" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.252.226", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981862Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.252.226", + "connection_id": "11760", + "source_interface": "outside", + "mapped_destination_port": 1773, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8258, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1774, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981863Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1774, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.252.226", + "ip": "100.66.252.226" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.252.226", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981863Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.252.226", + "connection_id": "11761", + "source_interface": "outside", + "mapped_destination_port": 1774, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.238.126", + "ip": "100.66.238.126" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.238.126", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981864Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.238.126", + "connection_id": "11762", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.93.51", + "ip": "100.66.93.51" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.93.51", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981865Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.93.51", + "connection_id": "11763", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.238.126", + "ip": "100.66.238.126" + }, + "network": { + "bytes": 111, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.238.126", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981866Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11762", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.93.51", + "ip": "100.66.93.51" + }, + "network": { + "bytes": 237, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.93.51", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981867Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11763", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8259, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1775, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981867Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1775, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 443, + "address": "100.66.225.103", + "ip": "100.66.225.103" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.225.103", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981868Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 443, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.225.103", + "connection_id": "11764", + "source_interface": "outside", + "mapped_destination_port": 1775, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1189, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981869Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.240.126", + "ip": "100.66.240.126" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.240.126", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981870Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.240.126", + "connection_id": "11772", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.44.45", + "ip": "100.66.44.45" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.44.45", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981871Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.44.45", + "connection_id": "11773", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.240.126", + "ip": "100.66.240.126" + }, + "network": { + "bytes": 87, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.240.126", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981872Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11772", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.44.45", + "ip": "100.66.44.45" + }, + "network": { + "bytes": 221, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.44.45", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981872Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11773", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8265, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1452, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981873Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1452, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.179.219", + "ip": "100.66.179.219" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.179.219", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981874Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.179.219", + "connection_id": "11774", + "source_interface": "outside", + "mapped_destination_port": 1452, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.157.232", + "ip": "100.66.157.232" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.157.232", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981875Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.157.232", + "connection_id": "11775", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.178.133", + "ip": "100.66.178.133" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.178.133", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981876Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.178.133", + "connection_id": "11776", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.157.232", + "ip": "100.66.157.232" + }, + "network": { + "bytes": 101, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.157.232", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981877Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11775", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.178.133", + "ip": "100.66.178.133" + }, + "network": { + "bytes": 126, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.178.133", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981877Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11776", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8266, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1453, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981878Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1453, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.133.112", + "ip": "100.66.133.112" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.133.112", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981879Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.133.112", + "connection_id": "11777", + "source_interface": "outside", + "mapped_destination_port": 1453, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1453, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.133.112", + "ip": "100.66.133.112" + }, + "network": { + "bytes": 862, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.133.112", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981880Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11777", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.204.197", + "ip": "100.66.204.197" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.204.197", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981881Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.204.197", + "connection_id": "11779", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.157.232", + "ip": "100.66.157.232" + }, + "network": { + "bytes": 104, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.157.232", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981882Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11778", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.204.197", + "ip": "100.66.204.197" + }, + "network": { + "bytes": 176, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.204.197", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981882Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11779", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8267, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1454, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981883Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1454, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.128.3", + "ip": "100.66.128.3" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.128.3", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981884Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.128.3", + "connection_id": "11780", + "source_interface": "outside", + "mapped_destination_port": 1454, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8268, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1455, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981885Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1455, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.128.3", + "ip": "100.66.128.3" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.128.3", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981886Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.128.3", + "connection_id": "11781", + "source_interface": "outside", + "mapped_destination_port": 1455, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8269, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1456, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981887Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1456, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.128.3", + "ip": "100.66.128.3" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.128.3", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981887Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.128.3", + "connection_id": "11782", + "source_interface": "outside", + "mapped_destination_port": 1456, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.100.4", + "ip": "100.66.100.4" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.100.4", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981888Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.100.4", + "connection_id": "11783", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.100.4", + "ip": "100.66.100.4" + }, + "network": { + "bytes": 104, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.100.4", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981889Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11783", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8270, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1457, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981890Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1457, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.198.40", + "ip": "100.66.198.40" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.198.40", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981891Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.198.40", + "connection_id": "11784", + "source_interface": "outside", + "mapped_destination_port": 1457, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8271, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1458, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981892Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1458, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.198.40", + "ip": "100.66.198.40" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.198.40", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981893Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.198.40", + "connection_id": "11785", + "source_interface": "outside", + "mapped_destination_port": 1458, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.1.107", + "ip": "100.66.1.107" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.1.107", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981894Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.1.107", + "connection_id": "11786", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1457, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.198.40", + "ip": "100.66.198.40" + }, + "network": { + "bytes": 593, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.198.40", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981894Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11784", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8272, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1459, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981895Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1459, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.198.40", + "ip": "100.66.198.40" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.198.40", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981896Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.198.40", + "connection_id": "11787", + "source_interface": "outside", + "mapped_destination_port": 1459, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.1.107", + "ip": "100.66.1.107" + }, + "network": { + "bytes": 375, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.1.107", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981897Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11786", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8273, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1460, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981898Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1460, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.192.44", + "ip": "100.66.192.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.192.44", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981898Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.192.44", + "connection_id": "11788", + "source_interface": "outside", + "mapped_destination_port": 1460, + "message_id": "302013" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981899Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8277, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1385, + "address": "172.31.156.80", + "ip": "172.31.156.80" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.156.80", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981900Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1385, + "address": "172.31.156.80", + "ip": "172.31.156.80" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.156.80" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981901Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.156.80", + "mapped_source_ip": "100.66.19.254", + "connection_id": "11797", + "source_interface": "outside", + "mapped_destination_port": 1385, + "message_id": "302013" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981902Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981903Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981903Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981904Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981905Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981906Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1382, + "address": "172.31.156.80", + "ip": "172.31.156.80" + }, + "source": { + "port": 80, + "address": "100.66.115.46", + "ip": "100.66.115.46" + }, + "network": { + "bytes": 575, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.115.46", + "172.31.156.80" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 325000000000, + "ingested": "2020-11-30T17:49:41.981907Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:29:31.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11564", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1385, + "address": "172.31.156.80", + "ip": "172.31.156.80" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "bytes": 5391, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.156.80" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981907Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11797", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8278, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1386, + "address": "172.31.156.80", + "ip": "172.31.156.80" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.156.80", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981908Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1386, + "address": "172.31.156.80", + "ip": "172.31.156.80" + }, + "source": { + "port": 80, + "address": "100.66.115.46", + "ip": "100.66.115.46" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.115.46", + "172.31.156.80" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981909Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.156.80", + "mapped_source_ip": "100.66.115.46", + "connection_id": "11798", + "source_interface": "outside", + "mapped_destination_port": 1386, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.981911Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.981911Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.981912Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.981913Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.981914Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.981915Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.981915Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.981916Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.981918Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.981918Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.981919Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.981920Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.19.254", + "ip": "100.66.19.254" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.19.254", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.981921Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8279, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1275, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981922Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1275, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.205.99", + "ip": "100.66.205.99" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.205.99", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981922Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.205.99", + "connection_id": "11799", + "source_interface": "outside", + "mapped_destination_port": 1275, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1190, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981923Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.14.30", + "ip": "100.66.14.30" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.14.30", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981924Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.14.30", + "connection_id": "11800", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.14.30", + "ip": "100.66.14.30" + }, + "network": { + "bytes": 373, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.14.30", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981925Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11800", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.252.210", + "ip": "100.66.252.210" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.252.210", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981926Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.252.210", + "connection_id": "11801", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.252.210", + "ip": "100.66.252.210" + }, + "network": { + "bytes": 207, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.252.210", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981926Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11801", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8280, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1276, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981927Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1276, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981928Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11802", + "source_interface": "outside", + "mapped_destination_port": 1276, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8281, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981929Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981930Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11803", + "source_interface": "outside", + "mapped_destination_port": 1277, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1276, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 12853, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981932Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11802", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8282, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1278, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981933Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1278, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981934Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11804", + "source_interface": "outside", + "mapped_destination_port": 1278, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 5291, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981935Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11803", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8283, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1279, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981935Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1279, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981936Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11805", + "source_interface": "outside", + "mapped_destination_port": 1279, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1278, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 965, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981937Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11804", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1279, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 8605, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981938Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11805", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8284, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1280, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981939Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1280, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981940Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11806", + "source_interface": "outside", + "mapped_destination_port": 1280, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1280, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 3428, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981940Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11806", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8285, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1281, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981941Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1281, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981942Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11807", + "source_interface": "outside", + "mapped_destination_port": 1281, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8286, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1282, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981943Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1282, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981944Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11808", + "source_interface": "outside", + "mapped_destination_port": 1282, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8287, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1283, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981944Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1283, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981945Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11809", + "source_interface": "outside", + "mapped_destination_port": 1283, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8288, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1284, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981946Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1284, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981947Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11810", + "source_interface": "outside", + "mapped_destination_port": 1284, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1281, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 2028, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981948Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11807", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1282, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 1085, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981948Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11808", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1283, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 868, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981949Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11809", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8289, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1285, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981950Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1285, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981951Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11811", + "source_interface": "outside", + "mapped_destination_port": 1285, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8290, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1286, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981952Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1286, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981953Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11812", + "source_interface": "outside", + "mapped_destination_port": 1286, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1284, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 4439, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981953Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11810", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8291, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1287, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981954Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1287, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981955Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11813", + "source_interface": "outside", + "mapped_destination_port": 1287, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1285, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 914, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981956Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11811", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1286, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 871, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981957Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11812", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.100.107", + "ip": "100.66.100.107" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.100.107", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981957Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.100.107", + "connection_id": "11814", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8292, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1288, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981958Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1288, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981959Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11815", + "source_interface": "outside", + "mapped_destination_port": 1288, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.100.107", + "ip": "100.66.100.107" + }, + "network": { + "bytes": 384, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.100.107", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981960Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11814", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.104.8", + "ip": "100.66.104.8" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.104.8", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981961Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.104.8", + "connection_id": "11816", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.104.8", + "ip": "100.66.104.8" + }, + "network": { + "bytes": 94, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.104.8", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981962Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11816", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8293, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1289, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981962Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1289, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.123.191", + "ip": "100.66.123.191" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.123.191", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981963Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.123.191", + "connection_id": "11817", + "source_interface": "outside", + "mapped_destination_port": 1289, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1288, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 945, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981964Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11815", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1287, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 13284, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981965Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11813", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.100.4", + "ip": "100.66.100.4" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.100.4", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981966Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.100.4", + "connection_id": "11818", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.100.4", + "ip": "100.66.100.4" + }, + "network": { + "bytes": 104, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.100.4", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981966Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11818", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8294, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1290, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981967Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1290, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.198.25", + "ip": "100.66.198.25" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.198.25", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981968Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.198.25", + "connection_id": "11819", + "source_interface": "outside", + "mapped_destination_port": 1290, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 68, + "address": "255.255.255.255", + "ip": "255.255.255.255" + }, + "source": { + "port": 67, + "address": "100.66.48.1", + "ip": "100.66.48.1" + }, + "network": { + "bytes": 58512, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "NP Identity Ifc" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.48.1", + "255.255.255.255" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 3526000000000, + "ingested": "2020-11-30T17:49:41.981969Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", + "kind": "event", + "start": "2018-10-10T11:36:10.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "NP Identity Ifc", + "message_id": "302016", + "connection_id": "9828", + "source_interface": "outside" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981970Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.3.39", + "ip": "100.66.3.39" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.3.39", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981971Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.3.39", + "connection_id": "11820", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.162.30", + "ip": "100.66.162.30" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.162.30", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981971Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.162.30", + "connection_id": "11821", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.3.39", + "ip": "100.66.3.39" + }, + "network": { + "bytes": 168, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.3.39", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981972Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11820", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.3.39", + "ip": "100.66.3.39" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.3.39", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981973Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.3.39", + "connection_id": "11822", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.162.30", + "ip": "100.66.162.30" + }, + "network": { + "bytes": 198, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.162.30", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981974Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11821", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.3.39", + "ip": "100.66.3.39" + }, + "network": { + "bytes": 150, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.3.39", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981975Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11822", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.48.186", + "ip": "100.66.48.186" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.48.186", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981976Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.48.186", + "connection_id": "11823", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.48.186", + "ip": "100.66.48.186" + }, + "network": { + "bytes": 84, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.48.186", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981976Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11823", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8295, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1291, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981977Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1291, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.54.190", + "ip": "100.66.54.190" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.54.190", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981978Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.54.190", + "connection_id": "11824", + "source_interface": "outside", + "mapped_destination_port": 1291, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.254.94", + "ip": "100.66.254.94" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.254.94", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981979Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.254.94", + "connection_id": "11825", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.254.94", + "ip": "100.66.254.94" + }, + "network": { + "bytes": 188, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.254.94", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981980Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11825", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8296, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1292, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981981Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1292, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.54.190", + "ip": "100.66.54.190" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.54.190", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981981Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.54.190", + "connection_id": "11826", + "source_interface": "outside", + "mapped_destination_port": 1292, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8297, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1293, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981982Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1293, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981984Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11827", + "source_interface": "outside", + "mapped_destination_port": 1293, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8298, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1294, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981985Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1294, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981985Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11828", + "source_interface": "outside", + "mapped_destination_port": 1294, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1293, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 5964, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981986Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11827", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8299, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1295, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981987Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1295, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981988Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11829", + "source_interface": "outside", + "mapped_destination_port": 1295, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8300, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1296, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981989Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1296, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981989Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11830", + "source_interface": "outside", + "mapped_destination_port": 1296, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1294, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 6694, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981990Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11828", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1295, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 1493, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981991Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11829", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1296, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 893, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981992Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11830", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8301, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1297, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981993Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1297, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981994Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11831", + "source_interface": "outside", + "mapped_destination_port": 1297, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8302, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1298, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981994Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1298, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981995Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11832", + "source_interface": "outside", + "mapped_destination_port": 1298, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.179.9", + "ip": "100.66.179.9" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.179.9", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981996Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.179.9", + "connection_id": "11833", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.179.9", + "ip": "100.66.179.9" + }, + "network": { + "bytes": 150, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.179.9", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981997Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11833", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1297, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 2750, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.981998Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11831", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8303, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1299, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981998Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1299, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.247.99", + "ip": "100.66.247.99" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.247.99", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.981999Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.247.99", + "connection_id": "11834", + "source_interface": "outside", + "mapped_destination_port": 1299, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8304, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1300, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1300, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982001Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11835", + "source_interface": "outside", + "mapped_destination_port": 1300, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1298, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 881, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.982002Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11832", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1300, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "bytes": 2202, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.982003Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11835", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8305, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1301, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982003Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1301, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982004Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11836", + "source_interface": "outside", + "mapped_destination_port": 1301, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8306, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1302, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982005Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1302, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.98.165", + "ip": "100.66.98.165" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.98.165", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982006Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.98.165", + "connection_id": "11837", + "source_interface": "outside", + "mapped_destination_port": 1302, + "message_id": "302013" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982007Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982007Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982008Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982009Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982010Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982011Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982012Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982012Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982013Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982014Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982015Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982016Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982016Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982017Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982018Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8308, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1304, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982019Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1304, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.205.99", + "ip": "100.66.205.99" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.205.99", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982020Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.205.99", + "connection_id": "11840", + "source_interface": "outside", + "mapped_destination_port": 1304, + "message_id": "302013" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982021Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982021Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.0.124", + "ip": "100.66.0.124" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.0.124", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982022Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.0.124", + "connection_id": "11841", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.160.2", + "ip": "100.66.160.2" + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.160.2", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982023Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 53, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.160.2", + "connection_id": "11842", + "source_interface": "outside", + "mapped_destination_port": 56132, + "message_id": "302015" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.0.124", + "ip": "100.66.0.124" + }, + "network": { + "bytes": 318, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.0.124", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.982024Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11841", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 56132, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 53, + "address": "100.66.160.2", + "ip": "100.66.160.2" + }, + "network": { + "bytes": 104, + "iana_number": 17, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.160.2", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:41.982025Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "kind": "event", + "start": "2018-10-10T12:34:56.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "11842", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8309, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1305, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982025Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1305, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982026Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.124.24", + "connection_id": "11843", + "source_interface": "outside", + "mapped_destination_port": 1305, + "message_id": "302013" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982027Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982028Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982029Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982029Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982030Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982031Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982032Z", + "code": 305012, + "original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "305012" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1305, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "bytes": 410333, + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "duration": 4000000000, + "ingested": "2020-11-30T17:49:41.982033Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", + "kind": "event", + "start": "2018-10-10T12:34:52.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302014", + "connection_id": "11843", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982034Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982034Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982035Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 8310, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1306, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982036Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1306, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:41.982037Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "172.31.98.44", + "mapped_source_ip": "100.66.124.24", + "connection_id": "11844", + "source_interface": "outside", + "mapped_destination_port": 1306, + "message_id": "302013" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982038Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982038Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982039Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982040Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982041Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982042Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982043Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982044Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982044Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982045Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982046Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982047Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982048Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982049Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982049Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982050Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982051Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982052Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982053Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982054Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982055Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982056Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982056Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982057Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982058Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982059Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982060Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982061Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982061Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982062Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982063Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982064Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8309, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "port": 80, + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2018-10-10T12:34:56.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:41.982065Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "inbound", + "source_interface": "outside" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log new file mode 100644 index 00000000000..a02a1136b19 --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log @@ -0,0 +1 @@ +Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2 diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-config.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-config.json new file mode 100644 index 00000000000..d84f1eae1eb --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-config.json @@ -0,0 +1,10 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + }, + "numeric_keyword_fields": [ + "network.iana_number", + "event.code", + "syslog.facility" + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json new file mode 100644 index 00000000000..f2e1bf728a5 --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json @@ -0,0 +1,63 @@ +{ + "expected": [ + { + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2020-02-20T16:11:11.000Z", + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "log": { + "level": "informational" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "RU-MOW", + "city_name": "Moscow", + "country_iso_code": "RU", + "country_name": "Russia", + "region_name": "Moscow", + "location": { + "lon": 37.6172, + "lat": 55.7527 + } + }, + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.108789Z", + "code": 734001, + "original": "%ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "user": { + "email": "firsname.lastname@domain.net" + }, + "cisco": { + "asa": { + "connection_type": "AnyConnect", + "message_id": "734001", + "dap_records": [ + "dap_1", + "dap_2" + ] + } + } + } + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log new file mode 100644 index 00000000000..65390a6f494 --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log @@ -0,0 +1,3 @@ +Jan 1 01:00:27 beats asa[1234]: %ASA-7-999999: This message is not filtered. +Jan 1 01:00:30 beats asa[1234]: %ASA-8-999999: This phony message is dropped due to log level. +Jan 1 01:02:12 beats asa[1234]: %ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0 diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-config.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-config.json new file mode 100644 index 00000000000..d84f1eae1eb --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-config.json @@ -0,0 +1,10 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + }, + "numeric_keyword_fields": [ + "network.iana_number", + "event.code", + "syslog.facility" + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json new file mode 100644 index 00000000000..6eaa327d828 --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json @@ -0,0 +1,158 @@ +{ + "expected": [ + { + "observer": { + "hostname": "beats", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "asa", + "pid": 1234 + }, + "@timestamp": "2020-01-01T01:00:27.000Z", + "related": { + "hosts": [ + "beats" + ] + }, + "log": { + "level": "debug" + }, + "host": { + "hostname": "beats" + }, + "event": { + "severity": 7, + "ingested": "2020-11-30T17:49:51.138385Z", + "code": 999999, + "original": "%ASA-7-999999: This message is not filtered.", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "999999" + } + } + }, + { + "observer": { + "hostname": "beats", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "asa", + "pid": 1234 + }, + "@timestamp": "2020-01-01T01:00:30.000Z", + "related": { + "hosts": [ + "beats" + ] + }, + "log": {}, + "host": { + "hostname": "beats" + }, + "event": { + "severity": 8, + "ingested": "2020-11-30T17:49:51.138387Z", + "code": 999999, + "original": "%ASA-8-999999: This phony message is dropped due to log level.", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "message_id": "999999" + } + } + }, + { + "process": { + "name": "asa", + "pid": 1234 + }, + "log": { + "level": "critical" + }, + "destination": { + "port": 443, + "address": "192.168.33.12", + "ip": "192.168.33.12" + }, + "source": { + "port": 45321, + "address": "10.13.12.11", + "ip": "10.13.12.11" + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "inbound" + }, + "observer": { + "hostname": "beats", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "eth0" + } + } + }, + "@timestamp": "2020-01-01T01:02:12.000Z", + "related": { + "hosts": [ + "beats" + ], + "ip": [ + "10.13.12.11", + "192.168.33.12" + ] + }, + "host": { + "hostname": "beats" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:51.138388Z", + "code": 106001, + "original": "%ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_interface": "eth0", + "message_id": "106001" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log new file mode 100644 index 00000000000..531c241da79 --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log @@ -0,0 +1,2 @@ +Oct 10 2019 10:21:36 localhost: %ASA-6-302021: Teardown ICMP connection for faddr target.destination.hostname.local/10005 gaddr 10.0.55.66/0 laddr Prod-host.name.addr/0 +Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.0.2.15/0 gaddr 192.0.2.134/57808 laddr 192.0.2.134/57808 type 8 code 0 diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-config.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-config.json new file mode 100644 index 00000000000..d84f1eae1eb --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-config.json @@ -0,0 +1,10 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + }, + "numeric_keyword_fields": [ + "network.iana_number", + "event.code", + "syslog.facility" + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json new file mode 100644 index 00000000000..c0b37d7eaa0 --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json @@ -0,0 +1,118 @@ +{ + "expected": [ + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2019-10-10T10:21:36.000Z", + "related": { + "hosts": [ + "localhost", + "target.destination.hostname.local", + "Prod-host.name.addr" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "destination": { + "domain": "target.destination.hostname.local" + }, + "source": { + "nat": { + "ip": "10.0.55.66" + }, + "domain": "Prod-host.name.addr" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.208718Z", + "code": 302021, + "original": "%ASA-6-302021: Teardown ICMP connection for faddr target.destination.hostname.local/10005 gaddr 10.0.55.66/0 laddr Prod-host.name.addr/0", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "mapped_source_ip": "10.0.55.66", + "message_id": "302021" + } + }, + "network": { + "iana_number": 1, + "transport": "icmp" + } + }, + { + "observer": { + "hostname": "MYHOSTNAME", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2011-06-04T21:59:52.000Z", + "related": { + "hosts": [ + "MYHOSTNAME" + ], + "ip": [ + "192.0.2.134", + "192.0.2.15" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "MYHOSTNAME" + }, + "destination": { + "address": "192.0.2.15", + "ip": "192.0.2.15" + }, + "source": { + "address": "192.0.2.134", + "ip": "192.0.2.134" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.208720Z", + "code": 302021, + "original": "%ASA-6-302021: Teardown ICMP connection for faddr 192.0.2.15/0 gaddr 192.0.2.134/57808 laddr 192.0.2.134/57808 type 8 code 0", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "mapped_source_ip": "192.0.2.134", + "source_username": "type", + "message_id": "302021" + } + }, + "network": { + "iana_number": 1, + "transport": "icmp" + } + } + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log new file mode 100644 index 00000000000..2742be4b533 --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log @@ -0,0 +1,3 @@ +<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000] +Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233 +Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-config.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-config.json new file mode 100644 index 00000000000..d84f1eae1eb --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-config.json @@ -0,0 +1,10 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + }, + "numeric_keyword_fields": [ + "network.iana_number", + "event.code", + "syslog.facility" + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json new file mode 100644 index 00000000000..24c682cb903 --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json @@ -0,0 +1,217 @@ +{ + "expected": [ + { + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "LB-DMZ" + } + } + }, + "@timestamp": "2019-10-04T15:27:55.000Z", + "related": { + "hosts": [ + "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + ], + "ip": [ + "203.0.113.42" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 53, + "address": "203.0.113.42", + "ip": "203.0.113.42" + }, + "syslog": { + "facility": 165 + }, + "source": { + "port": 27218, + "address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", + "domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.260025Z", + "code": 106100, + "original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -\u003e OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "OUTSIDE", + "message_id": "106100", + "rule_name": "AL-DMZ-LB-IN", + "source_interface": "LB-DMZ" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2020-01-01T10:42:53.000Z", + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "192.168.132.46", + "172.24.177.29" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "localhost" + }, + "destination": { + "address": "172.24.177.29", + "ip": "172.24.177.29" + }, + "source": { + "address": "192.168.132.46", + "ip": "192.168.132.46" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.260028Z", + "code": 302021, + "original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "mapped_source_host": "mydomain.example.net", + "message_id": "302021" + } + }, + "network": { + "iana_number": 1, + "transport": "icmp" + } + }, + { + "server": { + "domain": "example.org" + }, + "log": { + "level": "warning" + }, + "destination": { + "address": "172.24.177.3", + "port": 80, + "domain": "example.org", + "ip": "172.24.177.3" + }, + "source": { + "nat": { + "port": 11234 + }, + "address": "10.10.10.1", + "port": 1234, + "ip": "10.10.10.1" + }, + "network": { + "iana_number": 6, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "wan" + } + }, + "hostname": "localhost", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "eth0" + } + } + }, + "@timestamp": "2020-01-02T11:33:20.000Z", + "related": { + "hosts": [ + "localhost", + "example.org" + ], + "ip": [ + "10.10.10.1", + "172.24.177.3" + ] + }, + "host": { + "hostname": "localhost" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:51.260029Z", + "code": 338204, + "original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "mapped_destination_host": "www.example.org", + "destination_interface": "wan", + "mapped_source_port": 11234, + "threat_level": "high", + "mapped_source_host": "source.example.net", + "rule_name": "dynamic", + "source_interface": "eth0", + "mapped_destination_port": 80, + "message_id": "338204", + "threat_category": "malware" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log new file mode 100644 index 00000000000..cc9d8449f62 --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log @@ -0,0 +1,71 @@ +Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0] +Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0] +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834 +Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834) +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882 +Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882) +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392 +Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392) +Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140 +Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999 +Jun 04 2011 21:59:52 FJSG2NRFW01 : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233 +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879 +Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879) +Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query +Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside +Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query +Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Dec 11 2018 08:01:24 : %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) +Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 : %ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:39 : %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] +Dec 11 2018 08:01:53 : %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 : %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 : %ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs +Aug 15 2012 23:30:09 : %ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416 +Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic +Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic +Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group "PERMIT_IN" [0x0, 0x0]" +Sep 12 2014 06:53:02 GIFRCHN01 : %ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside +Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session +Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com +Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware +Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware +Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app +Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com +Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-config.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-config.json new file mode 100644 index 00000000000..d84f1eae1eb --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-config.json @@ -0,0 +1,10 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + }, + "numeric_keyword_fields": [ + "network.iana_number", + "event.code", + "syslog.facility" + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json new file mode 100644 index 00000000000..e2d58fd43ca --- /dev/null +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json @@ -0,0 +1,4618 @@ +{ + "expected": [ + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "dmz" + } + } + }, + "@timestamp": "2013-04-15T09:36:50.000Z", + "related": { + "ip": [ + "10.1.2.30", + "192.0.0.8" + ] + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 53, + "address": "192.0.0.8", + "ip": "192.0.0.8" + }, + "source": { + "port": 63016, + "address": "10.1.2.30", + "ip": "10.1.2.30" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:51.360293Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106023", + "rule_name": "acl_dmz", + "source_interface": "dmz" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "dmz" + } + } + }, + "@timestamp": "2013-04-15T09:36:50.000Z", + "related": { + "ip": [ + "10.1.2.30", + "192.0.0.8" + ] + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 53, + "address": "192.0.0.8", + "ip": "192.0.0.8" + }, + "source": { + "port": 63016, + "address": "10.1.2.30", + "ip": "10.1.2.30" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:51.360296Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106023", + "rule_name": "acl_dmz", + "source_interface": "dmz" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2014-04-15T13:34:34.000Z", + "related": { + "ip": [ + "10.1.2.16", + "192.0.0.89" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 2000, + "address": "192.0.0.89", + "ip": "192.0.0.89" + }, + "source": { + "port": 2241, + "address": "10.1.2.16", + "ip": "10.1.2.16" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360296Z", + "code": 106100, + "original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "suffix": "session", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "INT-FW01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-24T16:00:28.000Z", + "related": { + "hosts": [ + "INT-FW01" + ], + "ip": [ + "172.29.2.101", + "192.0.2.10" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "INT-FW01" + }, + "destination": { + "port": 53, + "address": "192.0.2.10", + "ip": "192.0.2.10" + }, + "source": { + "port": 1039, + "address": "172.29.2.101", + "ip": "172.29.2.101" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360297Z", + "code": 106100, + "original": "%ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "inside", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "INT-FW01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-24T16:00:27.000Z", + "related": { + "hosts": [ + "INT-FW01" + ], + "ip": [ + "172.29.2.3", + "192.0.2.57" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "INT-FW01" + }, + "destination": { + "port": 53, + "address": "192.0.2.57", + "ip": "192.0.2.57" + }, + "source": { + "port": 1065, + "address": "172.29.2.3", + "ip": "172.29.2.3" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360298Z", + "code": 106100, + "original": "%ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "inside", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2013-04-29T12:59:50.000Z", + "related": { + "ip": [ + "10.123.3.42", + "192.0.2.130" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 12834, + "address": "192.0.2.130", + "ip": "192.0.2.130" + }, + "source": { + "port": 4952, + "address": "10.123.3.42", + "ip": "10.123.3.42" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360299Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "outside", + "message_id": "305011" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2013-04-29T12:59:50.000Z", + "related": { + "ip": [ + "192.0.2.43", + "10.123.3.42" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 12834 + }, + "address": "10.123.3.42", + "port": 4952, + "ip": "10.123.3.42" + }, + "source": { + "port": 443, + "address": "192.0.2.43", + "ip": "192.0.2.43" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360300Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "mapped_source_port": 443, + "mapped_destination_ip": "10.123.3.42", + "mapped_source_ip": "192.0.2.43", + "connection_id": "89743274", + "source_interface": "outside", + "mapped_destination_port": 12834, + "message_id": "302013" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2013-04-29T12:59:50.000Z", + "related": { + "ip": [ + "10.123.1.35", + "192.0.2.130" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 25882, + "address": "192.0.2.130", + "ip": "192.0.2.130" + }, + "source": { + "port": 52925, + "address": "10.123.1.35", + "ip": "10.123.1.35" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360300Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "outside", + "message_id": "305011" + } + }, + "network": { + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2013-04-29T12:59:50.000Z", + "related": { + "ip": [ + "192.0.2.222", + "10.123.1.35" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 25882 + }, + "address": "10.123.1.35", + "port": 52925, + "ip": "10.123.1.35" + }, + "source": { + "nat": { + "ip": "192.0.2.43" + }, + "address": "192.0.2.222", + "port": 53, + "ip": "192.0.2.222" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360301Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "mapped_source_port": 53, + "mapped_destination_ip": "10.123.1.35", + "mapped_source_ip": "192.0.2.43", + "connection_id": "89743275", + "source_interface": "outside", + "mapped_destination_port": 25882, + "message_id": "302015" + } + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2013-04-29T12:59:50.000Z", + "related": { + "ip": [ + "10.123.3.42", + "192.0.2.130" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 45392, + "address": "192.0.2.130", + "ip": "192.0.2.130" + }, + "source": { + "port": 4953, + "address": "10.123.3.42", + "ip": "10.123.3.42" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360302Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "outside", + "message_id": "305011" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2013-04-29T12:59:50.000Z", + "related": { + "ip": [ + "192.0.2.1", + "10.123.3.42" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 45392, + "ip": "10.123.3.130" + }, + "address": "10.123.3.42", + "port": 4953, + "ip": "10.123.3.42" + }, + "source": { + "port": 80, + "address": "192.0.2.1", + "ip": "192.0.2.1" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360303Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "mapped_source_port": 80, + "mapped_destination_ip": "10.123.3.130", + "mapped_source_ip": "192.0.2.1", + "connection_id": "89743276", + "source_interface": "outside", + "mapped_destination_port": 45392, + "message_id": "302013" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2013-04-29T12:59:50.000Z", + "related": { + "ip": [ + "192.0.2.222", + "10.123.1.35" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 52925, + "address": "10.123.1.35", + "ip": "10.123.1.35" + }, + "source": { + "port": 53, + "address": "192.0.2.222", + "ip": "192.0.2.222" + }, + "event": { + "severity": 6, + "duration": 5025000000000, + "ingested": "2020-11-30T17:49:51.360304Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", + "kind": "event", + "start": "2013-04-29T11:36:05.000Z", + "action": "flow-expiration", + "end": "2013-04-29T12:59:50.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "89743275", + "source_interface": "outside" + } + }, + "network": { + "bytes": 140, + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2013-04-29T12:59:50.000Z", + "related": { + "ip": [ + "192.0.2.222", + "10.123.1.35" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 52925, + "address": "10.123.1.35", + "ip": "10.123.1.35" + }, + "source": { + "port": 53, + "address": "192.0.2.222", + "ip": "192.0.2.222" + }, + "event": { + "severity": 6, + "duration": 36000000000000, + "ingested": "2020-11-30T17:49:51.360304Z", + "code": 302016, + "original": "%ASA-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", + "kind": "event", + "start": "2013-04-29T02:59:50.000Z", + "action": "flow-expiration", + "end": "2013-04-29T12:59:50.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "source_username": "user1", + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "666", + "source_interface": "outside", + "destination_username": "user2" + } + }, + "network": { + "bytes": 9999999, + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "hostname": "FJSG2NRFW01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2011-06-04T21:59:52.000Z", + "related": { + "hosts": [ + "FJSG2NRFW01" + ], + "ip": [ + "192.168.132.46", + "172.24.177.29" + ] + }, + "log": { + "level": "informational" + }, + "host": { + "hostname": "FJSG2NRFW01" + }, + "destination": { + "address": "172.24.177.29", + "ip": "172.24.177.29" + }, + "source": { + "address": "192.168.132.46", + "ip": "192.168.132.46" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360305Z", + "code": 302021, + "original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "mapped_source_ip": "192.168.132.46", + "message_id": "302021" + } + }, + "network": { + "iana_number": 1, + "transport": "icmp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-29T12:59:50.000Z", + "related": { + "ip": [ + "192.168.3.42", + "192.0.0.130" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 10879, + "address": "192.0.0.130", + "ip": "192.0.0.130" + }, + "source": { + "port": 4954, + "address": "192.168.3.42", + "ip": "192.168.3.42" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360306Z", + "code": 305011, + "original": "%ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside", + "message_id": "305011" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2013-04-29T12:59:50.000Z", + "related": { + "ip": [ + "192.0.0.17", + "192.168.3.42" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 10879, + "ip": "10.0.0.130" + }, + "address": "192.168.3.42", + "port": 4954, + "ip": "192.168.3.42" + }, + "source": { + "port": 80, + "address": "192.0.0.17", + "ip": "192.0.0.17" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360307Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "mapped_source_port": 80, + "mapped_destination_ip": "10.0.0.130", + "mapped_source_ip": "192.0.0.17", + "connection_id": "89743277", + "source_interface": "outside", + "mapped_destination_port": 10879, + "message_id": "302013" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + } + }, + { + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2013-04-30T09:22:33.000Z", + "related": { + "ip": [ + "192.0.0.66", + "10.1.2.60" + ] + }, + "log": { + "level": "critical" + }, + "destination": { + "port": 53, + "address": "10.1.2.60", + "ip": "10.1.2.60" + }, + "source": { + "port": 12981, + "address": "192.0.0.66", + "ip": "192.0.0.66" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:51.360307Z", + "code": 106007, + "original": "%ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "message_id": "106007" + } + }, + "network": { + "protocol": "dns", + "transport": "udp", + "iana_number": 17, + "direction": "inbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:22:38.000Z", + "related": { + "ip": [ + "10.0.0.16", + "192.0.0.89" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 2000, + "address": "192.0.0.89", + "ip": "192.0.0.89" + }, + "source": { + "port": 2006, + "address": "10.0.0.16", + "ip": "10.0.0.16" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360308Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:22:38.000Z", + "related": { + "ip": [ + "10.0.0.46", + "192.0.0.88" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 40443, + "address": "192.0.0.88", + "ip": "192.0.0.88" + }, + "source": { + "port": 49734, + "address": "10.0.0.46", + "ip": "10.0.0.46" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360309Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:22:39.000Z", + "related": { + "ip": [ + "10.0.0.46", + "192.0.0.88" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 40443, + "address": "192.0.0.88", + "ip": "192.0.0.88" + }, + "source": { + "port": 49735, + "address": "10.0.0.46", + "ip": "10.0.0.46" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360310Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:22:39.000Z", + "related": { + "ip": [ + "10.0.0.46", + "192.0.0.88" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 40443, + "address": "192.0.0.88", + "ip": "192.0.0.88" + }, + "source": { + "port": 49736, + "address": "10.0.0.46", + "ip": "10.0.0.46" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360310Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:22:39.000Z", + "related": { + "ip": [ + "10.0.0.46", + "192.0.0.88" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 40443, + "address": "192.0.0.88", + "ip": "192.0.0.88" + }, + "source": { + "port": 49737, + "address": "10.0.0.46", + "ip": "10.0.0.46" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360311Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:22:40.000Z", + "related": { + "ip": [ + "10.0.0.46", + "192.0.0.88" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 40443, + "address": "192.0.0.88", + "ip": "192.0.0.88" + }, + "source": { + "port": 49738, + "address": "10.0.0.46", + "ip": "10.0.0.46" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360312Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:22:41.000Z", + "related": { + "ip": [ + "10.0.0.46", + "192.0.0.88" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 40443, + "address": "192.0.0.88", + "ip": "192.0.0.88" + }, + "source": { + "port": 49746, + "address": "10.0.0.46", + "ip": "10.0.0.46" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360313Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:22:47.000Z", + "related": { + "ip": [ + "10.0.0.16", + "192.0.0.89" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 2000, + "address": "192.0.0.89", + "ip": "192.0.0.89" + }, + "source": { + "port": 2007, + "address": "10.0.0.16", + "ip": "10.0.0.16" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360314Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "dmz" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:22:48.000Z", + "related": { + "ip": [ + "10.0.0.13", + "192.168.33.31" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 25, + "address": "192.168.33.31", + "ip": "192.168.33.31" + }, + "source": { + "port": 43013, + "address": "10.0.0.13", + "ip": "10.0.0.13" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360315Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "dmz", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:22:56.000Z", + "related": { + "ip": [ + "10.0.0.16", + "192.0.0.89" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 2000, + "address": "192.0.0.89", + "ip": "192.0.0.89" + }, + "source": { + "port": 2008, + "address": "10.0.0.16", + "ip": "10.0.0.16" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360316Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:23:02.000Z", + "related": { + "ip": [ + "192.0.2.66", + "10.1.2.42" + ] + }, + "log": { + "level": "critical" + }, + "destination": { + "port": 137, + "address": "10.1.2.42", + "ip": "10.1.2.42" + }, + "source": { + "port": 137, + "address": "192.0.2.66", + "ip": "192.0.2.66" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:51.360317Z", + "code": 106006, + "original": "%ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_interface": "inside", + "message_id": "106006" + } + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "inbound" + } + }, + { + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2013-04-30T09:23:03.000Z", + "related": { + "ip": [ + "192.0.2.66", + "10.1.5.60" + ] + }, + "log": { + "level": "critical" + }, + "destination": { + "port": 53, + "address": "10.1.5.60", + "ip": "10.1.5.60" + }, + "source": { + "port": 12981, + "address": "192.0.2.66", + "ip": "192.0.2.66" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:51.360317Z", + "code": 106007, + "original": "%ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "message_id": "106007" + } + }, + "network": { + "protocol": "dns", + "transport": "udp", + "iana_number": 17, + "direction": "inbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:23:06.000Z", + "related": { + "ip": [ + "10.0.0.16", + "192.0.0.89" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 2000, + "address": "192.0.0.89", + "ip": "192.0.0.89" + }, + "source": { + "port": 2009, + "address": "10.0.0.16", + "ip": "10.0.0.16" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360318Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:23:08.000Z", + "related": { + "ip": [ + "10.0.0.46", + "192.0.0.88" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 40443, + "address": "192.0.0.88", + "ip": "192.0.0.88" + }, + "source": { + "port": 49776, + "address": "10.0.0.46", + "ip": "10.0.0.46" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360319Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:23:15.000Z", + "related": { + "ip": [ + "10.0.0.16", + "192.0.0.89" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 2000, + "address": "192.0.0.89", + "ip": "192.0.0.89" + }, + "source": { + "port": 2010, + "address": "10.0.0.16", + "ip": "10.0.0.16" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360320Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:23:24.000Z", + "related": { + "ip": [ + "10.0.0.16", + "192.0.0.89" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 2000, + "address": "192.0.0.89", + "ip": "192.0.0.89" + }, + "source": { + "port": 2011, + "address": "10.0.0.16", + "ip": "10.0.0.16" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360320Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:23:34.000Z", + "related": { + "ip": [ + "10.0.0.16", + "192.0.0.89" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 2000, + "address": "192.0.0.89", + "ip": "192.0.0.89" + }, + "source": { + "port": 2012, + "address": "10.0.0.16", + "ip": "10.0.0.16" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360321Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2013-04-30T09:23:40.000Z", + "related": { + "ip": [ + "192.0.2.126", + "10.0.0.132" + ] + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8111, + "address": "10.0.0.132", + "ip": "10.0.0.132" + }, + "source": { + "port": 53638, + "address": "192.0.2.126", + "ip": "192.0.2.126" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:51.360322Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "acl_out", + "source_interface": "outside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2013-04-30T09:23:41.000Z", + "related": { + "ip": [ + "192.0.2.126", + "10.0.0.132" + ] + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 8111, + "address": "10.0.0.132", + "ip": "10.0.0.132" + }, + "source": { + "port": 53638, + "address": "192.0.2.126", + "ip": "192.0.2.126" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:51.360323Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "acl_out", + "source_interface": "outside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:23:43.000Z", + "related": { + "ip": [ + "10.0.0.46", + "192.0.0.88" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 40443, + "address": "192.0.0.88", + "ip": "192.0.0.88" + }, + "source": { + "port": 49840, + "address": "10.0.0.46", + "ip": "10.0.0.46" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360324Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2013-04-30T09:23:43.000Z", + "related": { + "ip": [ + "10.0.0.16", + "192.0.0.89" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 2000, + "address": "192.0.0.89", + "ip": "192.0.0.89" + }, + "source": { + "port": 2013, + "address": "10.0.0.16", + "ip": "10.0.0.16" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360324Z", + "code": 106100, + "original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2018-04-15T13:34:34.000Z", + "related": { + "ip": [ + "10.0.0.16", + "192.0.0.99" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "port": 2000, + "address": "192.0.0.99", + "ip": "192.0.0.99" + }, + "source": { + "port": 2241, + "address": "10.0.0.16", + "ip": "10.0.0.16" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360325Z", + "code": 106100, + "original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106100", + "suffix": "session", + "rule_name": "acl_in", + "source_interface": "inside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "identity" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "process": { + "name": "\u003cIP\u003e" + }, + "@timestamp": "2018-12-11T08:01:24.000Z", + "related": { + "ip": [ + "192.168.77.12", + "10.0.13.13" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 80, + "address": "10.0.13.13", + "ip": "10.0.13.13" + }, + "source": { + "port": 11180, + "address": "192.168.77.12", + "ip": "192.168.77.12" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360326Z", + "code": 302015, + "original": "%ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "identity", + "mapped_source_port": 11180, + "mapped_destination_ip": "10.0.13.13", + "mapped_source_ip": "192.168.77.12", + "connection_id": "447235", + "source_interface": "outside", + "mapped_destination_port": 80, + "message_id": "302015" + } + }, + "network": { + "iana_number": 17, + "transport": "udp", + "direction": "outbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "dmz" + } + } + }, + "process": { + "name": "\u003cIP\u003e" + }, + "@timestamp": "2018-12-11T08:01:24.000Z", + "related": { + "ip": [ + "192.168.1.33", + "192.0.0.12" + ] + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 53, + "address": "192.0.0.12", + "ip": "192.0.0.12" + }, + "source": { + "port": 5555, + "address": "192.168.1.33", + "ip": "192.168.1.33" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:51.360327Z", + "code": 106023, + "original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106023", + "rule_name": "dmz", + "source_interface": "dmz" + } + }, + "network": { + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "dmz" + } + } + }, + "process": { + "name": "\u003cIP\u003e" + }, + "@timestamp": "2018-12-11T08:01:24.000Z", + "related": { + "ip": [ + "192.168.1.33", + "192.0.0.12" + ] + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 53, + "address": "192.0.0.12", + "ip": "192.0.0.12" + }, + "source": { + "port": 5555, + "address": "192.168.1.33", + "ip": "192.168.1.33" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:51.360327Z", + "code": 106023, + "original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106023", + "rule_name": "dmz", + "source_interface": "dmz" + } + }, + "network": { + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "dmz" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "process": { + "name": "\u003cIP\u003e" + }, + "@timestamp": "2018-12-11T08:01:31.000Z", + "related": { + "hosts": [ + "OCSP_Server" + ], + "ip": [ + "192.0.2.222" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 5678, + "address": "OCSP_Server", + "domain": "OCSP_Server" + }, + "source": { + "port": 1234, + "address": "192.0.2.222", + "ip": "192.0.2.222" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360328Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "mapped_destination_host": "OCSP_Server", + "destination_interface": "dmz", + "mapped_source_port": 1234, + "mapped_source_ip": "192.0.2.222", + "connection_id": "447236", + "source_interface": "outside", + "mapped_destination_port": 5678, + "message_id": "302013" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "dmz" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "process": { + "name": "\u003cIP\u003e" + }, + "@timestamp": "2018-12-11T08:01:31.000Z", + "related": { + "hosts": [ + "OCSP_Server" + ], + "ip": [ + "192.0.2.222" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 5678, + "address": "OCSP_Server", + "domain": "OCSP_Server" + }, + "source": { + "port": 1234, + "address": "192.0.2.222", + "ip": "192.0.2.222" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360329Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "mapped_destination_host": "OCSP_Server", + "destination_interface": "dmz", + "mapped_source_port": 1234, + "mapped_source_ip": "192.0.2.222", + "connection_id": "447236", + "source_interface": "outside", + "mapped_destination_port": 5678, + "message_id": "302013" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "dmz" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "process": { + "name": "\u003cIP\u003e" + }, + "@timestamp": "2018-12-11T08:01:31.000Z", + "related": { + "ip": [ + "192.0.2.222", + "192.168.1.34" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 5678, + "address": "192.168.1.34", + "ip": "192.168.1.34" + }, + "source": { + "port": 1234, + "address": "192.0.2.222", + "ip": "192.0.2.222" + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2020-11-30T17:49:51.360329Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "kind": "event", + "start": "2018-12-11T08:01:31.000Z", + "action": "flow-expiration", + "end": "2018-12-11T08:01:31.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "dmz", + "message_id": "302014", + "connection_id": "447236", + "source_interface": "outside" + } + }, + "network": { + "bytes": 14804, + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "dmz" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "process": { + "name": "\u003cIP\u003e" + }, + "@timestamp": "2018-12-11T08:01:38.000Z", + "related": { + "ip": [ + "192.0.2.222", + "192.168.1.35" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 5678, + "address": "192.168.1.35", + "ip": "192.168.1.35" + }, + "source": { + "port": 1234, + "address": "192.0.2.222", + "ip": "192.0.2.222" + }, + "event": { + "severity": 6, + "duration": 68000000000, + "ingested": "2020-11-30T17:49:51.360330Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "kind": "event", + "start": "2018-12-11T08:00:30.000Z", + "action": "flow-expiration", + "end": "2018-12-11T08:01:38.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "dmz", + "message_id": "302014", + "connection_id": "447234", + "source_interface": "outside" + } + }, + "network": { + "bytes": 134781, + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "dmz" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "process": { + "name": "\u003cIP\u003e" + }, + "@timestamp": "2018-12-11T08:01:38.000Z", + "related": { + "ip": [ + "192.0.2.222", + "192.168.1.35" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 5678, + "address": "192.168.1.35", + "ip": "192.168.1.35" + }, + "source": { + "port": 1234, + "address": "192.0.2.222", + "ip": "192.0.2.222" + }, + "event": { + "severity": 6, + "duration": 68000000000, + "ingested": "2020-11-30T17:49:51.360331Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "kind": "event", + "start": "2018-12-11T08:00:30.000Z", + "action": "flow-expiration", + "end": "2018-12-11T08:01:38.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "dmz", + "message_id": "302014", + "connection_id": "447234", + "source_interface": "outside" + } + }, + "network": { + "bytes": 134781, + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "process": { + "name": "\u003cIP\u003e" + }, + "@timestamp": "2018-12-11T08:01:38.000Z", + "related": { + "ip": [ + "192.0.2.222", + "192.168.1.34" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 5679, + "address": "192.168.1.34", + "ip": "192.168.1.34" + }, + "source": { + "port": 1234, + "address": "192.0.2.222", + "ip": "192.0.2.222" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360332Z", + "code": 106015, + "original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ], + "outcome": "tcp" + }, + "cisco": { + "asa": { + "source_interface": "outside", + "message_id": "106015" + } + }, + "network": { + "transport": "(no" + } + }, + { + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "process": { + "name": "\u003cIP\u003e" + }, + "@timestamp": "2018-12-11T08:01:38.000Z", + "related": { + "ip": [ + "192.0.2.222", + "192.168.1.34" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 5679, + "address": "192.168.1.34", + "ip": "192.168.1.34" + }, + "source": { + "port": 1234, + "address": "192.0.2.222", + "ip": "192.0.2.222" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360332Z", + "code": 106015, + "original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ], + "outcome": "tcp" + }, + "cisco": { + "asa": { + "source_interface": "outside", + "message_id": "106015" + } + }, + "network": { + "transport": "(no" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "dmz" + } + } + }, + "process": { + "name": "\u003cIP\u003e" + }, + "@timestamp": "2018-12-11T08:01:39.000Z", + "related": { + "ip": [ + "192.168.1.34", + "192.0.0.12" + ] + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 5000, + "address": "192.0.0.12", + "ip": "192.0.0.12" + }, + "source": { + "port": 5679, + "address": "192.168.1.34", + "ip": "192.168.1.34" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:51.360333Z", + "code": 106023, + "original": "%ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "message_id": "106023", + "rule_name": "dmz", + "source_interface": "dmz" + } + }, + "network": { + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "dmz" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "process": { + "name": "\u003cIP\u003e" + }, + "@timestamp": "2018-12-11T08:01:53.000Z", + "related": { + "ip": [ + "192.0.2.222", + "192.168.1.34" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 65000, + "address": "192.168.1.34", + "ip": "192.168.1.34" + }, + "source": { + "port": 1234, + "address": "192.0.2.222", + "ip": "192.0.2.222" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360334Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "dmz", + "mapped_source_port": 1234, + "mapped_destination_ip": "192.168.1.34", + "mapped_source_ip": "192.0.2.222", + "connection_id": "447237", + "source_interface": "outside", + "mapped_destination_port": 65000, + "message_id": "302013" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "dmz" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "process": { + "name": "\u003cIP\u003e" + }, + "@timestamp": "2018-12-11T08:01:53.000Z", + "related": { + "ip": [ + "192.0.2.222", + "192.168.1.34" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 65000, + "address": "192.168.1.34", + "ip": "192.168.1.34" + }, + "source": { + "port": 1234, + "address": "192.0.2.222", + "ip": "192.0.2.222" + }, + "event": { + "severity": 6, + "ingested": "2020-11-30T17:49:51.360335Z", + "code": 302013, + "original": "%ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "dmz", + "mapped_source_port": 1234, + "mapped_destination_ip": "192.168.1.34", + "mapped_source_ip": "192.0.2.222", + "connection_id": "447237", + "source_interface": "outside", + "mapped_destination_port": 65000, + "message_id": "302013" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp", + "direction": "outbound" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "dmz" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "process": { + "name": "\u003cIP\u003e" + }, + "@timestamp": "2018-12-11T08:01:53.000Z", + "related": { + "ip": [ + "192.0.2.222", + "10.10.10.10" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 1235, + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, + "source": { + "port": 1234, + "address": "192.0.2.222", + "ip": "192.0.2.222" + }, + "event": { + "severity": 6, + "duration": 86399000000000, + "ingested": "2020-11-30T17:49:51.360335Z", + "code": 302014, + "original": "%ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", + "kind": "event", + "start": "2018-12-10T08:01:54.000Z", + "action": "flow-expiration", + "end": "2018-12-11T08:01:53.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "dmz", + "message_id": "302014", + "connection_id": "447237", + "source_interface": "outside" + } + }, + "network": { + "bytes": 11420, + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2012-08-15T23:30:09.000Z", + "related": { + "ip": [ + "10.44.4.4", + "10.44.2.2" + ] + }, + "log": { + "level": "informational" + }, + "destination": { + "port": 500, + "address": "10.44.2.2", + "ip": "10.44.2.2" + }, + "source": { + "port": 500, + "address": "10.44.4.4", + "ip": "10.44.4.4" + }, + "event": { + "severity": 6, + "duration": 122000000000, + "ingested": "2020-11-30T17:49:51.360336Z", + "code": 302016, + "original": "%ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", + "kind": "event", + "start": "2012-08-15T23:28:07.000Z", + "action": "flow-expiration", + "end": "2012-08-15T23:30:09.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "302016", + "connection_id": "40", + "source_interface": "outside" + } + }, + "network": { + "bytes": 1416, + "iana_number": 17, + "transport": "udp" + } + }, + { + "observer": { + "hostname": "GIFRCHN01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "Mobile_Traffic" + } + } + }, + "@timestamp": "2014-09-12T06:50:53.000Z", + "related": { + "hosts": [ + "GIFRCHN01" + ], + "ip": [ + "0.0.0.0", + "192.88.99.47" + ] + }, + "log": { + "level": "critical" + }, + "host": { + "hostname": "GIFRCHN01" + }, + "destination": { + "address": "192.88.99.47", + "ip": "192.88.99.47" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:51.360337Z", + "code": 106016, + "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic", + "message_id": "106016" + } + } + }, + { + "observer": { + "hostname": "GIFRCHN01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "Mobile_Traffic" + } + } + }, + "@timestamp": "2014-09-12T06:51:01.000Z", + "related": { + "hosts": [ + "GIFRCHN01" + ], + "ip": [ + "0.0.0.0", + "192.88.99.57" + ] + }, + "log": { + "level": "critical" + }, + "host": { + "hostname": "GIFRCHN01" + }, + "destination": { + "address": "192.88.99.57", + "ip": "192.88.99.57" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:51.360338Z", + "code": 106016, + "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic", + "message_id": "106016" + } + } + }, + { + "observer": { + "hostname": "GIFRCHN01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "Mobile_Traffic" + } + } + }, + "@timestamp": "2014-09-12T06:51:05.000Z", + "related": { + "hosts": [ + "GIFRCHN01" + ], + "ip": [ + "0.0.0.0", + "192.88.99.47" + ] + }, + "log": { + "level": "critical" + }, + "host": { + "hostname": "GIFRCHN01" + }, + "destination": { + "address": "192.88.99.47", + "ip": "192.88.99.47" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:51.360338Z", + "code": 106016, + "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic", + "message_id": "106016" + } + } + }, + { + "observer": { + "hostname": "GIFRCHN01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "Mobile_Traffic" + } + } + }, + "@timestamp": "2014-09-12T06:51:05.000Z", + "related": { + "hosts": [ + "GIFRCHN01" + ], + "ip": [ + "0.0.0.0", + "192.88.99.47" + ] + }, + "log": { + "level": "critical" + }, + "host": { + "hostname": "GIFRCHN01" + }, + "destination": { + "address": "192.88.99.47", + "ip": "192.88.99.47" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:51.360339Z", + "code": 106016, + "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic", + "message_id": "106016" + } + } + }, + { + "observer": { + "hostname": "GIFRCHN01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "Mobile_Traffic" + } + } + }, + "@timestamp": "2014-09-12T06:51:06.000Z", + "related": { + "hosts": [ + "GIFRCHN01" + ], + "ip": [ + "0.0.0.0", + "192.88.99.57" + ] + }, + "log": { + "level": "critical" + }, + "host": { + "hostname": "GIFRCHN01" + }, + "destination": { + "address": "192.88.99.57", + "ip": "192.88.99.57" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:51.360340Z", + "code": 106016, + "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic", + "message_id": "106016" + } + } + }, + { + "observer": { + "hostname": "GIFRCHN01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "Mobile_Traffic" + } + } + }, + "@timestamp": "2014-09-12T06:51:17.000Z", + "related": { + "hosts": [ + "GIFRCHN01" + ], + "ip": [ + "0.0.0.0", + "192.88.99.57" + ] + }, + "log": { + "level": "critical" + }, + "host": { + "hostname": "GIFRCHN01" + }, + "destination": { + "address": "192.88.99.57", + "ip": "192.88.99.57" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:51.360341Z", + "code": 106016, + "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic", + "message_id": "106016" + } + } + }, + { + "observer": { + "hostname": "GIFRCHN01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "Mobile_Traffic" + } + } + }, + "@timestamp": "2014-09-12T06:52:48.000Z", + "related": { + "hosts": [ + "GIFRCHN01" + ], + "ip": [ + "0.0.0.0", + "192.168.1.255" + ] + }, + "log": { + "level": "critical" + }, + "host": { + "hostname": "GIFRCHN01" + }, + "destination": { + "address": "192.168.1.255", + "ip": "192.168.1.255" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:51.360341Z", + "code": 106016, + "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic", + "message_id": "106016" + } + } + }, + { + "observer": { + "hostname": "GIFRCHN01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "Mobile_Traffic" + } + } + }, + "@timestamp": "2014-09-12T06:53:00.000Z", + "related": { + "hosts": [ + "GIFRCHN01" + ], + "ip": [ + "0.0.0.0", + "192.168.1.255" + ] + }, + "log": { + "level": "critical" + }, + "host": { + "hostname": "GIFRCHN01" + }, + "destination": { + "address": "192.168.1.255", + "ip": "192.168.1.255" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 2, + "ingested": "2020-11-30T17:49:51.360342Z", + "code": 106016, + "original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_interface": "Mobile_Traffic", + "message_id": "106016" + } + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, + "hostname": "GIFRCHN01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } + }, + "@timestamp": "2014-09-12T06:53:01.000Z", + "related": { + "hosts": [ + "GIFRCHN01" + ], + "ip": [ + "192.0.2.95", + "10.32.112.125" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "GIFRCHN01" + }, + "destination": { + "port": 25, + "address": "10.32.112.125", + "ip": "10.32.112.125" + }, + "source": { + "port": 24069, + "address": "192.0.2.95", + "ip": "192.0.2.95" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:51.360343Z", + "code": 106023, + "original": "%ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "message_id": "106023", + "rule_name": "PERMIT_IN", + "source_interface": "outside" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "hostname": "GIFRCHN01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "Outside" + } + } + }, + "@timestamp": "2014-09-12T06:53:02.000Z", + "related": { + "hosts": [ + "GIFRCHN01" + ], + "ip": [ + "10.2.3.5" + ] + }, + "log": { + "level": "error" + }, + "host": { + "hostname": "GIFRCHN01" + }, + "source": { + "address": "10.2.3.5", + "ip": "10.2.3.5" + }, + "event": { + "severity": 3, + "ingested": "2020-11-30T17:49:51.360344Z", + "code": 313001, + "original": "%ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "icmp_type": 3, + "message_id": "313001", + "icmp_code": 3, + "source_interface": "Outside" + } + }, + "network": { + "iana_number": 1, + "transport": "icmp" + } + }, + { + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2015-01-14T13:16:13.000Z", + "related": { + "ip": [ + "172.16.30.2", + "172.16.1.10" + ] + }, + "log": { + "level": "warning" + }, + "destination": { + "address": "172.16.1.10", + "ip": "172.16.1.10" + }, + "source": { + "address": "172.16.30.2", + "ip": "172.16.30.2" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:51.360344Z", + "code": 313004, + "original": "%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "icmp_type": 0, + "source_interface": "inside", + "message_id": "313004" + } + }, + "network": { + "iana_number": 1, + "transport": "icmp" + } + }, + { + "server": { + "domain": "bad.example.com" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2015-01-14T13:16:14.000Z", + "related": { + "hosts": [ + "bad.example.com" + ], + "ip": [ + "10.1.1.45", + "192.88.99.129" + ] + }, + "log": { + "level": "warning" + }, + "destination": { + "address": "192.88.99.129", + "port": 80, + "domain": "bad.example.com", + "ip": "192.88.99.129" + }, + "source": { + "nat": { + "port": 7890, + "ip": "192.88.99.1" + }, + "address": "10.1.1.45", + "port": 6798, + "ip": "10.1.1.45" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:51.360345Z", + "code": 338002, + "original": "%ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "mapped_source_port": 7890, + "mapped_destination_ip": "192.88.99.129", + "mapped_source_ip": "192.88.99.1", + "rule_name": "dynamic", + "source_interface": "inside", + "mapped_destination_port": 80, + "message_id": "338002" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outsidet" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2015-01-14T13:16:14.000Z", + "related": { + "ip": [ + "10.1.1.1", + "192.0.2.223" + ] + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 80, + "address": "192.0.2.223", + "ip": "192.0.2.223" + }, + "source": { + "nat": { + "ip": "10.2.1.1" + }, + "address": "10.1.1.1", + "port": 33340, + "ip": "10.1.1.1" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:51.360346Z", + "code": 338004, + "original": "%ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ], + "outcome": "monitored" + }, + "cisco": { + "asa": { + "destination_interface": "outsidet", + "mapped_source_port": 33340, + "threat_level": "very-high", + "mapped_destination_ip": "192.0.2.223", + "mapped_source_ip": "10.2.1.1", + "rule_name": "dynamic", + "source_interface": "inside", + "mapped_destination_port": 80, + "message_id": "338004", + "threat_category": "Malware" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "ingress": { + "interface": { + "name": "outsidet" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2015-01-14T13:16:14.000Z", + "related": { + "ip": [ + "10.1.1.1", + "192.0.2.223" + ] + }, + "log": { + "level": "warning" + }, + "destination": { + "port": 80, + "address": "192.0.2.223", + "ip": "192.0.2.223" + }, + "source": { + "nat": { + "ip": "10.2.1.1" + }, + "address": "10.1.1.1", + "port": 33340, + "ip": "10.1.1.1" + }, + "event": { + "severity": 4, + "ingested": "2020-11-30T17:49:51.360347Z", + "code": 338008, + "original": "%ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "destination_interface": "outsidet", + "mapped_source_port": 33340, + "threat_level": "very-high", + "mapped_destination_ip": "192.0.2.223", + "mapped_source_ip": "10.2.1.1", + "rule_name": "dynamic", + "source_interface": "inside", + "mapped_destination_port": 80, + "message_id": "338008", + "threat_category": "Malware" + } + }, + "network": { + "iana_number": 6, + "transport": "tcp" + } + }, + { + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2009-11-16T14:12:35.000Z", + "related": { + "ip": [ + "10.30.30.30", + "192.0.2.1" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "address": "192.0.2.1", + "ip": "192.0.2.1" + }, + "source": { + "address": "10.30.30.30", + "ip": "10.30.30.30" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360347Z", + "code": 304001, + "original": "%ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "message_id": "304001" + } + }, + "url": { + "original": "/app" + } + }, + { + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2009-11-16T14:12:36.000Z", + "related": { + "ip": [ + "10.5.111.32", + "192.0.2.32" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "address": "192.0.2.32", + "ip": "192.0.2.32" + }, + "source": { + "address": "10.5.111.32", + "ip": "10.5.111.32" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360348Z", + "code": 304001, + "original": "%ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "allow" + }, + "cisco": { + "asa": { + "message_id": "304001" + } + }, + "url": { + "original": "http://example.com" + } + }, + { + "observer": { + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2009-11-16T14:12:37.000Z", + "related": { + "ip": [ + "10.69.6.39", + "192.0.0.19" + ] + }, + "log": { + "level": "notification" + }, + "destination": { + "address": "192.0.0.19", + "ip": "192.0.0.19" + }, + "source": { + "address": "10.69.6.39", + "ip": "10.69.6.39" + }, + "event": { + "severity": 5, + "ingested": "2020-11-30T17:49:51.360349Z", + "code": 304002, + "original": "%ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "deny" + }, + "cisco": { + "asa": { + "source_interface": "inside", + "message_id": "304002" + } + }, + "url": { + "original": "http://www.example.net/images/favicon.ico" + } + } + ] +} \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/data_stream/asa/elasticsearch/ingest_pipeline/default.yml index 3c01dd36f64..9986e1ad4e0 100644 --- a/packages/cisco/data_stream/asa/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco/data_stream/asa/elasticsearch/ingest_pipeline/default.yml @@ -1,6 +1,9 @@ --- description: "Pipeline for Cisco ASA logs" processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # # Parse the syslog header # @@ -62,7 +65,7 @@ processors: # Parse the date included in FTD logs # - date: - if: "ctx.event.timezone == null" + if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null" field: "_temp_.raw_date" target_field: "@timestamp" formats: @@ -94,7 +97,7 @@ processors: }, ] - date: - if: "ctx.event.timezone != null" + if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null" timezone: "{{ event.timezone }}" field: "_temp_.raw_date" target_field: "@timestamp" @@ -187,10 +190,11 @@ processors: if: "ctx._temp_.cisco.message_id == '106007'" field: "message" pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '106010'" field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" - dissect: if: "ctx._temp_.cisco.message_id == '106013'" field: "message" @@ -203,14 +207,16 @@ processors: if: "ctx._temp_.cisco.message_id == '106013'" field: "network.direction" value: inbound - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '106014'" field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address} %{}dst %{_temp_.cisco.destination_interface}:%{destination.address} %{}" - - dissect: + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}(%{GREEDYDATA})?" + - grok: if: "ctx._temp_.cisco.message_id == '106015'" field: "message" - pattern: "%{event.outcome} %{network.transport} (no connection) from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106016'" field: "message" @@ -247,19 +253,70 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '106100'" field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port}) %{}" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" + field: "message" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '111004'" + field: "message" + pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" + - set: + field: event.outcome + value: "success" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" + - set: + field: event.outcome + value: "failure" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" + - remove: + field: _temp_.cisco.cli_outcome + ignore_missing: true + - append: + field: event.type + value: "change" + if: "ctx._temp_.cisco.message_id == '111004'" + - grok: + if: "ctx._temp_.cisco.message_id == '111009'" + field: "message" + patterns: + - "^%{NOTSPACE} '%{NOTSPACE:host.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" + - grok: + if: "ctx._temp_.cisco.message_id == '111010'" + field: "message" + patterns: + - "User '%{NOTSPACE:host.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113019'" + field: "message" + pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}" - dissect: - if: "ctx._temp_.cisco.message_id == '106102'" + if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}" + pattern: "Built %{network.direction} %{network.transport} connection %{_temp_.cisco.connection_id} for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - dissect: - if: "ctx._temp_.cisco.message_id == '106103'" + if: "ctx._temp_.cisco.message_id == '303002'" field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}" + pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" - dissect: + if: "ctx._temp_.cisco.message_id == '302012'" + field: "message" + pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" + - grok: + if: "ctx._temp_.cisco.message_id == '302020'" + field: "message" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr %{IP:destination.address}/%{NUMBER} (%{DATA})?gaddr %{IP:_temp_.natsrcip}/%{NUMBER} laddr %{IP:source.address}/%{NUMBER}(%{GREEDYDATA})?" + - dissect: + if: "ctx._temp_.cisco.message_id == '302022'" + field: "message" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - grok: if: "ctx._temp_.cisco.message_id == '304001'" field: "message" - pattern: "%{source.address} %{}ccessed URL %{destination.address}:%{url.original}" + patterns: + - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" @@ -268,6 +325,10 @@ processors: if: "ctx._temp_.cisco.message_id == '304002'" field: "message" pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '305011'" + field: "message" + pattern: "Built %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '313001'" field: "message" @@ -283,11 +344,11 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '313008'" field: "message" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type} , code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '313009'" field: "message" - pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '322001'" field: "message" @@ -300,6 +361,7 @@ processors: if: "ctx._temp_.cisco.message_id == '338001'" field: "server.domain" value: "{{source.domain}}" + ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338002'" field: "message" @@ -308,6 +370,7 @@ processors: if: "ctx._temp_.cisco.message_id == '338002'" field: "server.domain" value: "{{destination.domain}}" + ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338003'" field: "message" @@ -324,6 +387,7 @@ processors: if: "ctx._temp_.cisco.message_id == '338005'" field: "server.domain" value: "{{source.domain}}" + ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338006'" field: "message" @@ -332,6 +396,7 @@ processors: if: "ctx._temp_.cisco.message_id == '338006'" field: "server.domain" value: "{{destination.domain}}" + ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338007'" field: "message" @@ -348,6 +413,7 @@ processors: if: "ctx._temp_.cisco.message_id == '338101'" field: "server.domain" value: "{{source.domain}}" + ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338102'" field: "message" @@ -356,6 +422,7 @@ processors: if: "ctx._temp_.cisco.message_id == '338102'" field: "server.domain" value: "{{destination.domain}}" + ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338103'" field: "message" @@ -372,6 +439,7 @@ processors: if: "ctx._temp_.cisco.message_id == '338201'" field: "server.domain" value: "{{source.domain}}" + ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338202'" field: "message" @@ -380,6 +448,7 @@ processors: if: "ctx._temp_.cisco.message_id == '338202'" field: "server.domain" value: "{{destination.domain}}" + ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338203'" field: "message" @@ -388,6 +457,7 @@ processors: if: "ctx._temp_.cisco.message_id == '338203'" field: "server.domain" value: "{{source.domain}}" + ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338204'" field: "message" @@ -396,6 +466,7 @@ processors: if: "ctx._temp_.cisco.message_id == '338204'" field: "server.domain" value: "{{destination.domain}}" + ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338301'" field: "message" @@ -404,22 +475,92 @@ processors: if: "ctx._temp_.cisco.message_id == '338301'" field: "client.address" value: "{{destination.address}}" + ignore_empty_value: true - set: if: "ctx._temp_.cisco.message_id == '338301'" field: "client.port" value: "{{destination.port}}" + ignore_empty_value: true - set: if: "ctx._temp_.cisco.message_id == '338301'" field: "server.address" value: "{{source.address}}" + ignore_empty_value: true - set: if: "ctx._temp_.cisco.message_id == '338301'" field: "server.port" value: "{{source.port}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "message" + pattern: "User priv level changed: Uname: %{host.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.type" + value: + - "group" + - "change" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.category" + value: "iam" + - dissect: + if: "ctx._temp_.cisco.message_id == '507003'" + field: "message" + pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" + - dissect: + if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '609001'" + field: "message" + pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '609002'" + field: "message" + pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" + - dissect: + if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{host.user.name}' + - dissect: + if: "ctx._temp_.cisco.message_id == '710003'" + field: "message" + pattern: "%{network.transport} access denied by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '710005'" + field: "message" + pattern: "%{network.transport} request discarded from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '716002'" + field: "message" + pattern: "Group %{} User %{source.user.name} IP %{source.address} WebVPN session terminated: User Requested." + - dissect: + if: "ctx._temp_.cisco.message_id == '722051'" + field: "message" + pattern: "Group %{} User %{source.user.name} IP %{source.address} IPv4 Address %{_temp_.cisco.assigned_ip} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '733100'" + field: "message" + pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" - dissect: if: "ctx._temp_.cisco.message_id == '734001'" field: "message" pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" + - dissect: + if: "ctx._temp_.cisco.message_id == '805001'" + field: "message" + pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - dissect: + if: "ctx._temp_.cisco.message_id == '805002'" + field: "message" + pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - split: field: "_temp_.cisco.dap_records" separator: ",\\s+" @@ -429,7 +570,7 @@ processors: # Handle 302xxx messages (Flow expiration a.k.a "Teardown") # - set: - if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' field: "event.action" value: "flow-expiration" - grok: @@ -953,7 +1094,7 @@ processors: - set: field: "_temp_.duration_hms" value: "{{event.duration}}" - if: "ctx.event?.duration != null" + ignore_empty_value: true # # Process the flow duration "hh:mm:ss" present in some messages @@ -1226,19 +1367,33 @@ processors: - set: field: source.nat.ip value: "{{_temp_.cisco.mapped_source_ip}}" - if: "ctx._temp_.cisco.mapped_source_ip != null && (ctx._temp_.cisco.mapped_source_ip != ctx.source.ip || ctx._temp_.cisco.mapped_source_port != ctx.source.port)" + if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" + ignore_empty_value: true - set: field: source.nat.port value: "{{_temp_.cisco.mapped_source_port}}" - if: "ctx._temp_.cisco.mapped_source_port != null && (ctx._temp_.cisco.mapped_source_ip != ctx.source.ip || ctx._temp_.cisco.mapped_source_port != ctx.source.port)" + if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" + ignore_empty_value: true - set: field: destination.nat.ip value: "{{_temp_.cisco.mapped_destination_ip}}" - if: "ctx._temp_.cisco.mapped_destination_ip != null && (ctx._temp_.cisco.mapped_destination_ip != ctx.destination.ip || ctx._temp_.cisco.mapped_destination_port != ctx.destination.port)" + if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" + ignore_empty_value: true - set: field: destination.nat.port value: "{{_temp_.cisco.mapped_destination_port}}" - if: "ctx._temp_.cisco.mapped_destination_port != null && (ctx._temp_.cisco.mapped_destination_ip != ctx.destination.ip || ctx._temp_.cisco.mapped_destination_port != ctx.destination.port)" + if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" + ignore_empty_value: true + + - convert: + field: "source.nat.port" + type: integer + ignore_failure: true + + - convert: + field: "destination.nat.port" + type: integer + ignore_failure: true # # Populate ECS event.code @@ -1283,6 +1438,139 @@ processors: target_field: cisco.asa.rule_name ignore_missing: true + # ECS categorization + - script: + lang: painless + params: + connection-finished: + kind: event + category: + - network + type: + - connection + - end + connection-started: + kind: event + category: + - network + type: + - connection + - start + file-detected: + kind: alert + category: + - malware + type: + - info + firewall-rule: + kind: event + category: + - network + type: + - info + flow-expiration: + kind: event + category: + - network + type: + - connection + - end + intrusion-detected: + kind: alert + category: + - intrusion_detection + type: + - info + malware-detected: + kind: alert + category: + - malware + type: + - info + source: >- + if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { + return; + } + ctx.event.kind = params.get(ctx.event.action).get('kind'); + ctx.event.category = params.get(ctx.event.action).get('category').clone(); + ctx.event.type = params.get(ctx.event.action).get('type').clone(); + + if (ctx?.event?.outcome == null) { + return; + } + if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) { + if (ctx.event.outcome == 'allow') { + ctx.event.type.add('allowed'); + } + if (ctx.event.outcome == 'deny') { + ctx.event.type.add('denied'); + } + if (ctx.event.outcome == 'block') { + ctx.event.type.add('denied'); + } + } + + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. + - set: + field: observer.hostname + value: "{{ host.hostname }}" + ignore_empty_value: true + - set: + field: observer.vendor + value: "Cisco" + ignore_empty_value: true + - set: + field: observer.type + value: "firewall" + ignore_empty_value: true + - set: + field: observer.product + value: "asa" + ignore_empty_value: true + - set: + field: observer.egress.interface.name + value: "{{ cisco.asa.source_interface }}" + ignore_empty_value: true + - set: + field: observer.ingress.interface.name + value: "{{ cisco.asa.destination_interface }}" + ignore_empty_value: true + - append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" + - append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" + - append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" + - append: + field: related.hash + value: "{{file.hash.sha256}}" + if: "ctx?.file?.hash?.sha256 != null" + - append: + field: related.hosts + value: "{{host.hostname}}" + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{observer.hostname}}" + if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{destination.domain}}" + if: ctx.destination?.domain != null && ctx.destination?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{source.domain}}" + if: ctx.source?.domain != null && ctx.source?.domain != '' + allow_duplicates: false on_failure: # Copy any fields under _temp_.cisco to its final destination. Those can help # with diagnosing the failure. diff --git a/packages/cisco/data_stream/asa/fields/agent.yml b/packages/cisco/data_stream/asa/fields/agent.yml index da4e652c53b..ae296605fa7 100644 --- a/packages/cisco/data_stream/asa/fields/agent.yml +++ b/packages/cisco/data_stream/asa/fields/agent.yml @@ -196,3 +196,6 @@ description: > OS codename, if any. +- name: syslog.facility + type: keyword + description: Syslog facility. diff --git a/packages/cisco/data_stream/asa/fields/ecs.yml b/packages/cisco/data_stream/asa/fields/ecs.yml index 1d2ea23718e..d032061a3cb 100644 --- a/packages/cisco/data_stream/asa/fields/ecs.yml +++ b/packages/cisco/data_stream/asa/fields/ecs.yml @@ -51,3 +51,254 @@ - name: event.duration type: long description: Duration of the event in nanoseconds. +- name: destination.address + type: keyword + description: Destination network address. +- name: destination.as.number + type: long + description: Unique number allocated to the autonomous system. +- name: destination.as.organization.name + type: keyword + description: Organization name. +- name: destination.domain + type: keyword + description: Destination domain. +- name: destination.geo.city_name + type: keyword + description: City name. +- name: destination.geo.continent_name + type: keyword + description: Name of the continent. +- name: destination.geo.country_iso_code + type: keyword + description: Country ISO code. +- name: destination.geo.country_name + type: keyword + description: Country name. +- name: destination.geo.region_iso_code + type: keyword + description: Region ISO code. +- name: destination.geo.region_name + type: keyword + description: Region name. +- name: destination.geo.location + type: geo_point + description: Longitude and latitude. +- name: destination.ip + type: ip + description: IP address of the destination. +- name: destination.nat.port + type: long + description: Destination NAT Port +- name: destination.port + type: long + description: Port of the destination. +- name: error.message + type: text + description: Error message. +- name: log.level + type: keyword + description: Log level of the log event. +- name: log.original + type: keyword + description: Original log message with light interpretation only (encoding, newlines). +- name: network.bytes + type: long + description: Total bytes transferred in both directions. +- name: network.direction + type: keyword + description: Direction of the network traffic. +- name: network.iana_number + type: keyword + description: IANA Protocol Number. +- name: network.protocol + type: keyword + description: L7 Network protocol name. +- name: network.transport + type: keyword + description: Protocol Name corresponding to the field `iana_number`. +- name: process.name + type: keyword + description: Process name. +- name: process.pid + type: long + description: Process id. +- name: server.domain + type: keyword + description: Server domain. +- name: source.address + type: keyword + description: Source network address. +- name: source.domain + type: keyword + description: Source domain. +- name: source.geo.city_name + type: keyword + description: City name. +- name: source.geo.continent_name + type: keyword + description: Name of the continent. +- name: source.geo.country_iso_code + type: keyword + description: Country ISO code. +- name: source.geo.country_name + type: keyword + description: Country name. +- name: source.geo.region_iso_code + type: keyword + description: Region ISO code. +- name: source.geo.location + type: geo_point + description: Longitude and latitude. +- name: source.geo.region_name + type: keyword + description: Region name. +- name: source.ip + type: ip + description: IP address of the source. +- name: source.nat.ip + type: ip + description: Source NAT ip +- name: source.nat.port + type: long + description: Source NAT port +- name: source.port + type: long + description: Port of the source. +- name: url.original + type: keyword + description: Unmodified original url as seen in the event source. +- name: user.email + type: keyword + description: User email address. +- name: user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert +- name: destination.user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert +- name: source.user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert +- name: client.user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert +- name: source.bytes + level: core + type: long + format: bytes + description: Bytes sent from the source to the destination. + example: 184 +- name: destination.bytes + level: core + type: long + format: bytes + description: Bytes sent from the destination to the source. + example: 184 +- name: destination.nat.ip + level: extended + type: ip + description: 'Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + + Typically used with load balancers, firewalls, or routers.' +- name: nat.port + level: extended + type: long + format: string + description: 'Port the source session is translated to by NAT Device. + + Typically used with load balancers, firewalls, or routers.' +- name: file.path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + example: /home/alice/example.png +- name: observer.egress.interface.name + type: keyword + description: Interface name +- name: observer.egress.zone + type: keyword + description: Observer Egress zone +- name: observer.ingress.interface.name + type: keyword + description: Interface name +- name: observer.ingress.zone + type: keyword + description: Observer ingress zone +- name: observer.ip + type: ip + description: IP addresses of the observer. +- name: observer.name + type: keyword + description: Custom name of the observer. +- name: observer.product + type: keyword + description: The product name of the observer. +- name: observer.type + type: keyword + description: The type of the observer the data is coming from. +- name: observer.vendor + type: keyword + description: Vendor name of the observer. +- name: observer.version + type: keyword + description: Observer version. +- name: observer.hostname + type: keyword + description: Hostname of the observer. +- name: related.ip + type: ip + description: All of the IPs seen on your event. +- name: related.user + type: keyword + description: All the user names seen on your event. +- name: related.hosts + level: extended + type: keyword + ignore_above: 1024 + description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + default_field: false +- name: source.as.number + type: long + description: Unique number allocated to the autonomous system. +- name: source.as.organization.name + type: keyword + description: Organization name. diff --git a/packages/cisco/data_stream/asa/fields/fields.yml b/packages/cisco/data_stream/asa/fields/fields.yml index fb495e6b7c5..5c162af7433 100644 --- a/packages/cisco/data_stream/asa/fields/fields.yml +++ b/packages/cisco/data_stream/asa/fields/fields.yml @@ -73,3 +73,75 @@ type: keyword description: | The assigned DAP records + - name: mapped_destination_host + type: keyword + - name: username + type: keyword + - name: mapped_source_host + type: keyword + - name: command_line_arguments + default_field: false + type: keyword + description: > + The command line arguments logged by the local audit log + + - name: assigned_ip + default_field: false + type: ip + description: > + The IP address assigned to a VPN client successfully connecting + + - name: privilege.old + default_field: false + type: keyword + description: > + When a users privilege is changed this is the old value + + - name: privilege.new + default_field: false + type: keyword + description: > + When a users privilege is changed this is the new value + + - name: burst.object + default_field: false + type: keyword + description: > + The related object for burst warnings + + - name: burst.id + default_field: false + type: keyword + description: > + The related rate ID for burst warnings + + - name: burst.current_rate + default_field: false + type: keyword + description: > + The current burst rate seen + + - name: burst.configured_rate + default_field: false + type: keyword + description: > + The current configured burst rate + + - name: burst.avg_rate + default_field: false + type: keyword + description: > + The current average burst rate seen + + - name: burst.configured_avg_rate + default_field: false + type: keyword + description: > + The current configured average burst rate allowed + + - name: burst.cumulative_count + default_field: false + type: keyword + description: > + The total count of burst rate hits since the object was created or cleared + diff --git a/packages/cisco/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml index 7e706a06250..071e5821d99 100644 --- a/packages/cisco/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml @@ -62,7 +62,7 @@ processors: # Parse the date included in FTD logs # - date: - if: "ctx.event.timezone == null" + if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null" field: "_temp_.raw_date" target_field: "@timestamp" formats: @@ -94,7 +94,7 @@ processors: }, ] - date: - if: "ctx.event.timezone != null" + if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null" timezone: "{{ event.timezone }}" field: "_temp_.raw_date" target_field: "@timestamp" diff --git a/packages/cisco/docs/README.md b/packages/cisco/docs/README.md index 621450d8907..389988e85e2 100644 --- a/packages/cisco/docs/README.md +++ b/packages/cisco/docs/README.md @@ -22,6 +22,15 @@ The `asa` dataset collects the Cisco firewall logs. | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | +| cisco.asa.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | +| cisco.asa.burst.avg_rate | The current average burst rate seen | keyword | +| cisco.asa.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | +| cisco.asa.burst.configured_rate | The current configured burst rate | keyword | +| cisco.asa.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword | +| cisco.asa.burst.current_rate | The current burst rate seen | keyword | +| cisco.asa.burst.id | The related rate ID for burst warnings | keyword | +| cisco.asa.burst.object | The related object for burst warnings | keyword | +| cisco.asa.command_line_arguments | The command line arguments logged by the local audit log | keyword | | cisco.asa.connection_id | Unique identifier for a flow. | keyword | | cisco.asa.connection_type | The VPN connection type | keyword | | cisco.asa.dap_records | The assigned DAP records | keyword | @@ -29,17 +38,23 @@ The `asa` dataset collects the Cisco firewall logs. | cisco.asa.destination_username | Name of the user that is the destination for this event. | keyword | | cisco.asa.icmp_code | ICMP code. | short | | cisco.asa.icmp_type | ICMP type. | short | +| cisco.asa.mapped_destination_host | | keyword | | cisco.asa.mapped_destination_ip | The translated destination IP address. | ip | | cisco.asa.mapped_destination_port | The translated destination port. | long | +| cisco.asa.mapped_source_host | | keyword | | cisco.asa.mapped_source_ip | The translated source IP address. | ip | | cisco.asa.mapped_source_port | The translated source port. | long | | cisco.asa.message_id | The Cisco ASA message identifier. | keyword | +| cisco.asa.privilege.new | When a users privilege is changed this is the new value | keyword | +| cisco.asa.privilege.old | When a users privilege is changed this is the old value | keyword | | cisco.asa.rule_name | Name of the Access Control List rule that matched this event. | keyword | | cisco.asa.source_interface | Source interface for the flow or event. | keyword | | cisco.asa.source_username | Name of the user that is the source for this event. | keyword | | cisco.asa.suffix | Optional suffix after %ASA identifier. | keyword | | cisco.asa.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | | cisco.asa.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | +| cisco.asa.username | | keyword | +| client.user.name | Short name or login of the user. | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -56,9 +71,27 @@ The `asa` dataset collects the Cisco firewall logs. | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | +| destination.address | Destination network address. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | Destination domain. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination. | ip | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Destination NAT Port | long | +| destination.port | Port of the destination. | long | +| destination.user.name | Short name or login of the user. | keyword | +| error.message | Error message. | text | | event.category | Event category (e.g. database) | keyword | | event.code | Identification code for this event | keyword | -| event.created | Date/time when the event was first read by an agent, or by your pipeline. | date | +| event.created | The date/time when the event was first read by an agent, or by your pipeline. | date | | event.duration | Duration of the event in nanoseconds. | long | | event.end | The date when the event ended or when the activity was last observed. | keyword | | event.kind | Event kind (e.g. event) | keyword | @@ -66,6 +99,7 @@ The `asa` dataset collects the Cisco firewall logs. | event.start | The date when the event started or when the activity was first observed. | date | | event.timezone | Time zone information | keyword | | event.type | Event severity (e.g. info, error) | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | @@ -83,7 +117,53 @@ The `asa` dataset collects the Cisco firewall logs. | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. | object | +| log.level | Log level of the log event. | keyword | +| log.original | Original log message with light interpretation only (encoding, newlines). | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. | text | +| nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| network.bytes | Total bytes transferred in both directions. | long | +| network.direction | Direction of the network traffic. | keyword | +| network.iana_number | IANA Protocol Number. | keyword | +| network.protocol | L7 Network protocol name. | keyword | +| network.transport | Protocol Name corresponding to the field `iana_number`. | keyword | +| observer.egress.interface.name | Interface name | keyword | +| observer.egress.zone | Observer Egress zone | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name | keyword | +| observer.ingress.zone | Observer ingress zone | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.name | Custom name of the observer. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. | keyword | +| process.pid | Process id. | long | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names seen on your event. | keyword | +| server.domain | Server domain. | keyword | +| source.address | Source network address. | keyword | +| source.as.number | Unique number allocated to the autonomous system. | long | +| source.as.organization.name | Organization name. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source. | ip | +| source.nat.ip | Source NAT ip | ip | +| source.nat.port | Source NAT port | long | +| source.port | Port of the source. | long | +| source.user.name | Short name or login of the user. | keyword | +| syslog.facility | Syslog facility. | keyword | +| url.original | Unmodified original url as seen in the event source. | keyword | +| user.email | User email address. | keyword | +| user.name | Short name or login of the user. | keyword | ### FTD diff --git a/packages/cisco/manifest.yml b/packages/cisco/manifest.yml index fd2e7f38c34..aa946584c4d 100644 --- a/packages/cisco/manifest.yml +++ b/packages/cisco/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco title: Cisco -version: 0.7.4 +version: 0.7.5 license: basic description: Cisco Integration type: integration