Skip to content

[cisco_ftd] Add Pasrsing for Some Extra Fields #13957

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 22, 2025
Merged

[cisco_ftd] Add Pasrsing for Some Extra Fields #13957

merged 2 commits into from
May 22, 2025

Conversation

mohitjha-elastic
Copy link
Collaborator

Proposed Commit Message

cisco_ftd: add parsing for `EncryptPeerIP` and `VPN_Action` fields.

Previously, these fields were not handled in the pipeline.
This adds parsing logic to support `EncryptPeerIP` and `VPN_Action`, 
enabling their proper processing in the data flow.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/cisco_ftd directory.
Run the following command to run tests.
elastic-package test -v

Related issues

  • Enhancements repo - 23222

@mohitjha-elastic
Add pasrsing for some fields.
75a83d8 
Add parsing for  and  fields that was not mapped previously.
@mohitjha-elastic mohitjha-elastic self-assigned this May 21, 2025
@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner May 21, 2025 07:32
@mohitjha-elastic mohitjha-elastic added enhancement New feature or request Integration:cisco_ftd Cisco FTD Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels May 21, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

cc @mohitjha-elastic

@andrewkroh andrewkroh added the Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] label May 21, 2025
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

jrmolin
jrmolin reviewed May 21, 2025
View reviewed changes
Copy link
Contributor

@jrmolin jrmolin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems okay, but i don't see how the tcp moved to udp. please verify that

packages/cisco_ftd/data_stream/log/sample_event.json
@@ -41,7 +41,7 @@
},
"data_stream": {
"dataset": "cisco_ftd.log",
"namespace": "ep",
"namespace": "84072",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this intentional?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

elastic-package sometimes select a new sample event randomly and the order itself isn't deterministic hence the changes related to the sample events and readme is intentional.

packages/cisco_ftd/data_stream/log/sample_event.json
@@ -99,12 +99,12 @@
"hostname": "firepower"
},
"input": {
"type": "tcp"
"type": "udp"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please verify this is also correct -- i don't see evidence of it.

packages/cisco_ftd/docs/README.md
@@ -137,12 +137,12 @@ An example event for `log` looks as following:
"hostname": "firepower"
},
"input": {
"type": "tcp"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above

@taylor-swanson
Copy link
Contributor

seems okay, but i don't see how the tcp moved to udp. please verify that

@jrmolin @mohitjha-elastic,

So I've noticed that elastic-package will sometimes select a new sample event. Could be that the logic to select which event to use changed, or the order itself isn't deterministic, but either way, it's usually not an issue. I haven't reviewed the changes yet, but I almost always ignore changes to the sample event.

taylor-swanson
taylor-swanson approved these changes May 21, 2025
View reviewed changes
Copy link
Contributor

@taylor-swanson taylor-swanson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Regarding the sample event changes, seems like it just chose the UDP input one this time. Other field changes seem consistent with newer agent versions.

@mohitjha-elastic mohitjha-elastic requested a review from jrmolin May 22, 2025 07:09
@taylor-swanson taylor-swanson merged commit cd934c8 into elastic:main May 22, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package cisco_ftd - 3.9.0 containing this change is available at https://epr.elastic.co/package/cisco_ftd/3.9.0/

anupratharamachandran pushed a commit to anupratharamachandran/integrations that referenced this pull request Jun 2, 2025
@mohitjha-elastic @anupratharamachandran
[cisco_ftd] Add Parsing for Some Extra Fields (elastic#13957)
22458c5 
* Add parsing for EncryptPeerIP and VPN_Action fields.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@taylor-swanson taylor-swanson taylor-swanson approved these changes

@jrmolin jrmolin Awaiting requested review from jrmolin

Assignees

@mohitjha-elastic mohitjha-elastic

Labels
enhancement New feature or request Integration:cisco_ftd Cisco FTD Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mohitjha-elastic @elasticmachine @taylor-swanson @jrmolin @andrewkroh