[cisco_ftd] Add support for Security Group Tag and Endpoint Group fields (#15652)

* [cisco_ftd] Add SGT/EPG field parsing for connection events for (#15204)

* docs: address PR review feedback for cisco_ftd SGT/EPG fields

- Bump version to 3.11.0 (enhancement requires minor version bump)
- Update changelog link to PR #15652
- Remove pr.md file (not needed in integration packages)
- Remove empty lines from test-sgt.log
- Anonymize test DeviceUUID values

Addresses review comments from @P1llus and @bhapas

* fix: bump manifest version to 3.11.0 to match changelog

* fix: improved pipeline generate output after empty line cleanup,

Author: yahyaghani

packages/cisco_ftd/changelog.yml

@@ -1,9 +1,9 @@
 # newer versions go on top
-- version: "3.10.3"
+- version: "3.11.0"
   changes:
-    - description: Generate processor tags and normalize error handler.
+    - description: Add support for Security Group Tag (SGT) and Endpoint Group (EPG) fields in connection events.
       type: enhancement
-      link: https://github.com/elastic/integrations/pull/15530
+      link: https://github.com/elastic/integrations/pull/15652
 - version: "3.10.2"
   changes:
     - description: Fix parsing for message ID 313005 to accept input type unknown.

packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-config.yml

@@ -7,4 +7,4 @@ fields:
     external_zones:
       - output-zone
     internal_zones:
-      - input-zone
+      - input-zone

packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sgt.log

@@ -0,0 +1,2 @@
+2025-09-01T12:00:00Z firepower : %FTD-6-430003: EventPriority: Low, DeviceUUID: 00000000-0000-0000-0000-000000000001, InstanceID: 11, FirstPacketSecond: 2025-09-01T12:35:00Z, ConnectionID: 39416, AccessControlRuleAction: Trust, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 56799, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, SourceSecurityGroup: SGT_TEST_GROUP, SourceSecurityGroupTag: 2003, SourceSecurityGroupType: Session Directory, DestinationIP_DynamicAttribute: APIC_EPG_TEST_GROUP, IngressVRF: Global, EgressVRF: Global, Endpoint Profile: Workstation:Microsoft-Workstation:Windows11-Workstation, ACPolicy: ACP-Access, AccessControlRuleName: Test-Rule-1, Prefilter Policy: Default Prefilter Policy, User: testuser, Client: DNS, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 31, ResponderBytes: 238, NAPPolicy: Balanced Security and Connectivity
+2025-09-01T14:00:00Z firepower : %FTD-6-430002: EventPriority: Low, DeviceUUID: 00000000-0000-0000-0000-000000000001, InstanceID: 4, FirstPacketSecond: 2025-09-01T14:00:03Z, ConnectionID: 36584, AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 56799, DstPort: 22, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, SourceSecurityGroup: 2005, SourceSecurityGroupTag: 2005, DestinationSecurityGroup: 9, DestinationSecurityGroupTag: 9, SourceSecurityGroupType: Session Directory, DestinationSecurityGroupType: SXP, IngressVRF: Global, EgressVRF: Global, Endpoint Profile: Invalid ID, ACPolicy: ACP-Management, AccessControlRuleName: Default Deny, Prefilter Policy: Management Prefilter Policy, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 70, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity

packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sgt.log-expected.json

@@ -0,0 +1,263 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2025-09-01T12:35:00.000Z",
+            "cisco": {
+                "ftd": {
+                    "destination_interface": "outside",
+                    "rule_name": [
+                        "ACP-Access",
+                        "Test-Rule-1"
+                    ],
+                    "security": {
+                        "endpoint_profile": "Workstation:Microsoft-Workstation:Windows11-Workstation"
+                    },
+                    "security_event": {
+                        "ac_policy": "ACP-Access",
+                        "access_control_rule_action": "Trust",
+                        "access_control_rule_name": "Test-Rule-1",
+                        "application_protocol": "DNS",
+                        "client": "DNS",
+                        "connection_duration": 0,
+                        "destination_ip_dynamic_attribute": "APIC_EPG_TEST_GROUP",
+                        "dst_ip": "10.0.1.20",
+                        "dst_port": 53,
+                        "egress_interface": "outside",
+                        "first_packet_second": "2025-09-01T12:35:00Z",
+                        "ingress_interface": "inside",
+                        "initiator_bytes": 31,
+                        "initiator_packets": 1,
+                        "nap_policy": "Balanced Security and Connectivity",
+                        "prefilter_policy": "Default Prefilter Policy",
+                        "protocol": "udp",
+                        "responder_bytes": 238,
+                        "responder_packets": 1,
+                        "source_security_group": "SGT_TEST_GROUP",
+                        "source_security_group_tag": "2003",
+                        "source_security_group_type": "Session Directory",
+                        "src_ip": "10.0.100.30",
+                        "src_port": 56799,
+                        "user": "testuser"
+                    },
+                    "source_interface": "inside"
+                }
+            },
+            "destination": {
+                "address": "10.0.1.20",
+                "bytes": 238,
+                "ip": "10.0.1.20",
+                "packets": 1,
+                "port": 53
+            },
+            "device": {
+                "manufacturer": "Microsoft",
+                "model": {
+                    "name": "Windows11"
+                }
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "action": "connection-finished",
+                "category": [
+                    "network"
+                ],
+                "code": "430003",
+                "duration": 0,
+                "end": "2025-09-01T12:35:00.000Z",
+                "kind": "event",
+                "original": "2025-09-01T12:00:00Z firepower : %FTD-6-430003: EventPriority: Low, DeviceUUID: 00000000-0000-0000-0000-000000000001, InstanceID: 11, FirstPacketSecond: 2025-09-01T12:35:00Z, ConnectionID: 39416, AccessControlRuleAction: Trust, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 56799, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, SourceSecurityGroup: SGT_TEST_GROUP, SourceSecurityGroupTag: 2003, SourceSecurityGroupType: Session Directory, DestinationIP_DynamicAttribute: APIC_EPG_TEST_GROUP, IngressVRF: Global, EgressVRF: Global, Endpoint Profile: Workstation:Microsoft-Workstation:Windows11-Workstation, ACPolicy: ACP-Access, AccessControlRuleName: Test-Rule-1, Prefilter Policy: Default Prefilter Policy, User: testuser, Client: DNS, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 31, ResponderBytes: 238, NAPPolicy: Balanced Security and Connectivity",
+                "outcome": "success",
+                "severity": 6,
+                "start": "2025-09-01T12:35:00.000Z",
+                "timezone": "UTC",
+                "type": [
+                    "connection",
+                    "end",
+                    "allowed"
+                ]
+            },
+            "host": {
+                "hostname": "firepower",
+                "type": "Microsoft"
+            },
+            "log": {
+                "level": "informational"
+            },
+            "network": {
+                "application": "dns",
+                "bytes": 269,
+                "community_id": "1:xlmEboTK1cVSycaPD+f1Ii6nxMg=",
+                "iana_number": "17",
+                "protocol": "dns",
+                "transport": "udp"
+            },
+            "observer": {
+                "egress": {
+                    "interface": {
+                        "name": "outside"
+                    }
+                },
+                "hostname": "firepower",
+                "ingress": {
+                    "interface": {
+                        "name": "inside"
+                    }
+                },
+                "product": "ftd",
+                "type": "idps",
+                "vendor": "Cisco"
+            },
+            "related": {
+                "hosts": [
+                    "firepower"
+                ],
+                "ip": [
+                    "10.0.100.30",
+                    "10.0.1.20"
+                ],
+                "user": [
+                    "testuser"
+                ]
+            },
+            "rule": {
+                "name": "Test-Rule-1",
+                "ruleset": "ACP-Access"
+            },
+            "source": {
+                "address": "10.0.100.30",
+                "bytes": 31,
+                "ip": "10.0.100.30",
+                "packets": 1,
+                "port": 56799
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "id": "testuser",
+                "name": "testuser"
+            }
+        },
+        {
+            "@timestamp": "2025-09-01T14:00:03.000Z",
+            "cisco": {
+                "ftd": {
+                    "destination_interface": "outside",
+                    "rule_name": [
+                        "ACP-Management",
+                        "Default Deny"
+                    ],
+                    "security": {
+                        "endpoint_profile": "Invalid ID"
+                    },
+                    "security_event": {
+                        "ac_policy": "ACP-Management",
+                        "access_control_rule_action": "Block",
+                        "access_control_rule_name": "Default Deny",
+                        "destination_security_group": "9",
+                        "destination_security_group_tag": "9",
+                        "dst_ip": "10.0.1.20",
+                        "dst_port": 22,
+                        "egress_interface": "outside",
+                        "first_packet_second": "2025-09-01T14:00:03Z",
+                        "ingress_interface": "inside",
+                        "initiator_bytes": 70,
+                        "initiator_packets": 1,
+                        "nap_policy": "Balanced Security and Connectivity",
+                        "prefilter_policy": "Management Prefilter Policy",
+                        "protocol": "tcp",
+                        "responder_bytes": 0,
+                        "responder_packets": 0,
+                        "source_security_group": "2005",
+                        "source_security_group_tag": "2005",
+                        "source_security_group_type": "Session Directory",
+                        "src_ip": "10.0.100.30",
+                        "src_port": 56799
+                    },
+                    "source_interface": "inside"
+                }
+            },
+            "destination": {
+                "address": "10.0.1.20",
+                "bytes": 0,
+                "ip": "10.0.1.20",
+                "packets": 0,
+                "port": 22
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "action": "connection-started",
+                "category": [
+                    "network"
+                ],
+                "code": "430002",
+                "kind": "event",
+                "original": "2025-09-01T14:00:00Z firepower : %FTD-6-430002: EventPriority: Low, DeviceUUID: 00000000-0000-0000-0000-000000000001, InstanceID: 4, FirstPacketSecond: 2025-09-01T14:00:03Z, ConnectionID: 36584, AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 56799, DstPort: 22, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, SourceSecurityGroup: 2005, SourceSecurityGroupTag: 2005, DestinationSecurityGroup: 9, DestinationSecurityGroupTag: 9, SourceSecurityGroupType: Session Directory, DestinationSecurityGroupType: SXP, IngressVRF: Global, EgressVRF: Global, Endpoint Profile: Invalid ID, ACPolicy: ACP-Management, AccessControlRuleName: Default Deny, Prefilter Policy: Management Prefilter Policy, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 70, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity",
+                "outcome": "success",
+                "severity": 6,
+                "start": "2025-09-01T14:00:03Z",
+                "timezone": "UTC",
+                "type": [
+                    "connection",
+                    "start",
+                    "denied"
+                ]
+            },
+            "host": {
+                "hostname": "firepower"
+            },
+            "log": {
+                "level": "informational"
+            },
+            "network": {
+                "bytes": 70,
+                "community_id": "1:jcSnhrPf/GVREflEdymeibE8U/A=",
+                "iana_number": "6",
+                "transport": "tcp"
+            },
+            "observer": {
+                "egress": {
+                    "interface": {
+                        "name": "outside"
+                    }
+                },
+                "hostname": "firepower",
+                "ingress": {
+                    "interface": {
+                        "name": "inside"
+                    }
+                },
+                "product": "ftd",
+                "type": "idps",
+                "vendor": "Cisco"
+            },
+            "related": {
+                "hosts": [
+                    "firepower"
+                ],
+                "ip": [
+                    "10.0.100.30",
+                    "10.0.1.20"
+                ]
+            },
+            "rule": {
+                "name": "Default Deny",
+                "ruleset": "ACP-Management"
+            },
+            "source": {
+                "address": "10.0.100.30",
+                "bytes": 70,
+                "ip": "10.0.100.30",
+                "packets": 1,
+                "port": 56799
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}

packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -1433,6 +1433,15 @@ processors:
         DstPort:
           target: dst_port
           ecs: [destination.port]
+        DestinationIP_DynamicAttribute:
+          target: destination_ip_dynamic_attribute
+          id: ["430002", "430003"]
+        DestinationSecurityGroup:
+          target: destination_security_group
+          id: ["430002", "430003"]
+        DestinationSecurityGroupTag:
+          target: destination_security_group_tag
+          id: ["430002", "430003"]
         EgressInterface:
           target: egress_interface
           id: ["430001", "430002", "430003"]
@@ -1648,6 +1657,15 @@ processors:
         SperoDisposition:
           target: spero_disposition
           id: ["430004", "430005"]
+        SourceSecurityGroup:
+          target: source_security_group
+          id: ["430002", "430003"]
+        SourceSecurityGroupTag:
+          target: source_security_group_tag
+          id: ["430002", "430003"]
+        SourceSecurityGroupType:
+          target: source_security_group_type
+          id: ["430002", "430003"]
         SrcIP:
           target: src_ip
           ecs: [source.address]
@@ -1738,6 +1756,9 @@ processors:
                                     'dns_record_type',
                                     'dns_response_type',
                                     'dns_ttl',
+                                    'destination_ip_dynamic_attribute',
+                                    'destination_security_group',
+                                    'destination_security_group_tag',
                                     'dst_ip',
                                     'dst_port',
                                     'egress_interface',
@@ -1768,6 +1789,9 @@ processors:
                                     'responder_bytes',
                                     'responder_packets',
                                     'sha_disposition',
+                                    'source_security_group',
+                                    'source_security_group_tag',
+                                    'source_security_group_type',
                                     'spero_disposition',
                                     'src_ip',
                                     'src_port',

packages/cisco_ftd/data_stream/log/fields/fields.yml

@@ -201,6 +201,15 @@
           type: ip
         - name: dst_port
           type: integer
+        - name: destination_ip_dynamic_attribute
+          type: keyword
+          description: Destination IP dynamic attribute (EPG information)
+        - name: destination_security_group
+          type: keyword
+          description: Destination Security Group Tag (SGT)
+        - name: destination_security_group_tag
+          type: keyword
+          description: Destination Security Group Tag number
         - name: egress_interface
           type: keyword
         - name: egress_zone
@@ -259,6 +268,15 @@
           type: keyword
         - name: spero_disposition
           type: keyword
+        - name: source_security_group
+          type: keyword
+          description: Source Security Group Tag (SGT)
+        - name: source_security_group_tag
+          type: keyword
+          description: Source Security Group Tag number
+        - name: source_security_group_type
+          type: keyword
+          description: Source Security Group Tag type
         - name: src_ip
           type: ip
         - name: src_port

packages/cisco_ftd/docs/README.md

@@ -240,6 +240,9 @@ An example event for `log` looks as following:
 | cisco.ftd.security_event.client |  | keyword |
 | cisco.ftd.security_event.client_version |  | keyword |
 | cisco.ftd.security_event.connection_duration |  | integer |
+| cisco.ftd.security_event.destination_ip_dynamic_attribute | Destination IP dynamic attribute (EPG information) | keyword |
+| cisco.ftd.security_event.destination_security_group | Destination Security Group Tag (SGT) | keyword |
+| cisco.ftd.security_event.destination_security_group_tag | Destination Security Group Tag number | keyword |
 | cisco.ftd.security_event.dns_query |  | keyword |
 | cisco.ftd.security_event.dns_record_type |  | keyword |
 | cisco.ftd.security_event.dns_response_type |  | keyword |
@@ -274,6 +277,9 @@ An example event for `log` looks as following:
 | cisco.ftd.security_event.responder_bytes |  | long |
 | cisco.ftd.security_event.responder_packets |  | integer |
 | cisco.ftd.security_event.sha_disposition |  | keyword |
+| cisco.ftd.security_event.source_security_group | Source Security Group Tag (SGT) | keyword |
+| cisco.ftd.security_event.source_security_group_tag | Source Security Group Tag number | keyword |
+| cisco.ftd.security_event.source_security_group_type | Source Security Group Tag type | keyword |
 | cisco.ftd.security_event.spero_disposition |  | keyword |
 | cisco.ftd.security_event.src_ip |  | ip |
 | cisco.ftd.security_event.src_port |  | integer |

packages/cisco_ftd/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: cisco_ftd
 title: Cisco FTD
-version: "3.10.3"
+version: "3.11.0"
 description: Collect logs from Cisco FTD with Elastic Agent.
 type: integration
 categories: