cisco_umbrella: add support for log schema version v13 (#15791)

test samples are taken from the official Cisco Umbrella documentation.

Author: navnit-elastic

packages/cisco_umbrella/_dev/build/docs/README.md

@@ -8,7 +8,7 @@ This integration is for [Cisco Umbrella](https://docs.umbrella.com/). It include
 
 ### Compatibility
 
-This integration supports the log schema version 8 and 9.
+This integration supports the log [schema version 13](https://docs.umbrella.com/umbrella-user-guide/docs/log-format-and-versioning#log-schema-versions).
 
 ## What do I need to use this integration?
 

packages/cisco_umbrella/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.33.0"
+  changes:
+    - description: Add support for log schema version v13.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15791
 - version: "1.32.0"
   changes:
     - description: Update the Cisco Umbrella README to add compatibility information.

packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-auditlogs.log-expected.json

@@ -215,4 +215,4 @@
             }
         }
     ]
-}
+}

packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log

@@ -1,3 +1,4 @@
 2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,OUTBOUND,1,84,172.17.3.4,,67.43.156.12,,ams1.edc,12,ALLOW
 2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,INBOUND,1,84,172.17.3.4,,67.43.156.12,,ams1.edc,12,BLOCK
-"2019-01-14 18:03:46","[211039844]","Passive Monitor", "CDFW Tunnel Device","OUTBOUND","1","84","172.17.3.4","","67.43.156.12", "","ams1.edc","12","ALLOW","google.com,apple.com","44,66"
+"2019-01-14 18:03:46","[211039844]","Passive Monitor", "CDFW Tunnel Device","OUTBOUND","1","84","172.17.3.4","","67.43.156.12", "","ams1.edc","12","ALLOW","google.com,apple.com","44,66"
+"2024-06-14 18:59:57","[211039844]","Passive Monitor", "CDFW Tunnel Device","OUTBOUND","1","84","172.17.3.4","60951","67.43.156.12","443","ams1.edc","12","ALLOW","google.com,apple.com","44,66","1718391597","1718391597","3","3","1108","755","39-42","","eu-central-2b","","","","","\[]","","","","2204063","67.43.156.12","TRUE"

packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json

@@ -251,6 +251,117 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2024-06-14T18:59:57.000Z",
+            "cisco": {
+                "umbrella": {
+                    "casi_category_ids": "\\[]",
+                    "datacenter": "ams1.edc",
+                    "destination_lists_id": "44,66",
+                    "egress": "TRUE",
+                    "first_packet_timestamp": "2024-06-14T18:59:57.000Z",
+                    "fqdns": [
+                        "google.com",
+                        "apple.com"
+                    ],
+                    "identities": [
+                        "Passive Monitor"
+                    ],
+                    "identity_types": [
+                        "CDFW Tunnel Device"
+                    ],
+                    "last_packet_timestamp": "2024-06-14T18:59:57.000Z",
+                    "origin_id": "[211039844]"
+                }
+            },
+            "cloud": {
+                "availability_zone": "eu-central-2b"
+            },
+            "destination": {
+                "address": "67.43.156.12",
+                "as": {
+                    "number": 35908
+                },
+                "bytes": 755,
+                "geo": {
+                    "continent_name": "Asia",
+                    "country_iso_code": "BT",
+                    "country_name": "Bhutan",
+                    "location": {
+                        "lat": 27.5,
+                        "lon": 90.5
+                    }
+                },
+                "ip": "67.43.156.12",
+                "packets": 3,
+                "port": 443
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "fw-connection-ALLOW",
+                "category": [
+                    "network"
+                ],
+                "id": "39-42",
+                "kind": "event",
+                "original": "\"2024-06-14 18:59:57\",\"[211039844]\",\"Passive Monitor\", \"CDFW Tunnel Device\",\"OUTBOUND\",\"1\",\"84\",\"172.17.3.4\",\"60951\",\"67.43.156.12\",\"443\",\"ams1.edc\",\"12\",\"ALLOW\",\"google.com,apple.com\",\"44,66\",\"1718391597\",\"1718391597\",\"3\",\"3\",\"1108\",\"755\",\"39-42\",\"\",\"eu-central-2b\",\"\",\"\",\"\",\"\",\"\\[]\",\"\",\"\",\"\",\"2204063\",\"67.43.156.12\",\"TRUE\"",
+                "type": [
+                    "allowed",
+                    "connection"
+                ]
+            },
+            "log": {
+                "file": {
+                    "path": "/test/path/cloudfirewalllogs"
+                }
+            },
+            "network": {
+                "bytes": 1863,
+                "community_id": "1:7y0Rtnc087ycVA+d/fCa/8i5fTo=",
+                "direction": "outbound",
+                "name": [
+                    "Passive Monitor"
+                ],
+                "packets": 6,
+                "transport": "1"
+            },
+            "observer": {
+                "product": "Umbrella",
+                "type": "firewall",
+                "vendor": "Cisco"
+            },
+            "organization": {
+                "id": "2204063"
+            },
+            "related": {
+                "hosts": [
+                    "google.com",
+                    "apple.com"
+                ],
+                "ip": [
+                    "172.17.3.4",
+                    "67.43.156.12"
+                ]
+            },
+            "rule": {
+                "id": "12"
+            },
+            "source": {
+                "address": "172.17.3.4",
+                "bytes": 1108,
+                "ip": "172.17.3.4",
+                "nat": {
+                    "ip": "67.43.156.12"
+                },
+                "packets": 3,
+                "port": 60951
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
         }
     ]
-}
+}

packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dlplogs.log

@@ -1 +1,2 @@
-"2022-02-15 12:05:45","Real Time","f64dcc3f-50fa-410a-b8e1-589894276cee_17c81f85-34f7-4bc5-aa4c-155571f484f6","CRITICAL","Network1","","first.xlsx","Dropbox","http://google.com","BLOCK","rule-1","classification-2","classifier-2.1","text/html","48","abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab", "Confidential"
+"2022-02-15 12:05:45","Real Time","f64dcc3f-50fa-410a-b8e1-589894276cee_17c81f85-34f7-4bc5-aa4c-155571f484f6","CRITICAL","Network1","","first.xlsx","Dropbox","http://google.com","BLOCK","rule-1","classification-2","classifier-2.1","text/html","48","abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab", "Confidential"
+"2022-02-15 12:05:45","Real Time","f64dcc3f-50fa-410a-b8e1-589894276cee_17c81f85-34f7-4bc5-aa4c-155571f484f6","CRITICAL","Network1","","first.xlsx","Dropbox","http://google.com","BLOCK","rule-1","classification-2","classifier-2.1","text/html","48","abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab", "Confidential","","","dlpprivateresource","","https","67.43.156.12","443","8247177"

packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dlplogs.log-expected.json

@@ -44,7 +44,7 @@
                 }
             },
             "network": {
-                "application": "Dropbox",
+                "application": "dropbox",
                 "name": "Network1"
             },
             "observer": {
@@ -69,6 +69,100 @@
                 "path": "",
                 "scheme": "http"
             }
+        },
+        {
+            "@timestamp": "2022-02-15T12:05:45.000Z",
+            "cisco": {
+                "umbrella": {
+                    "data_classification": "classification-2",
+                    "data_identifier": "classifier-2.1",
+                    "file_label": "Confidential",
+                    "private_resource_name": "dlpprivateresource",
+                    "severity": "CRITICAL"
+                }
+            },
+            "destination": {
+                "as": {
+                    "number": 35908
+                },
+                "geo": {
+                    "continent_name": "Asia",
+                    "country_iso_code": "BT",
+                    "country_name": "Bhutan",
+                    "location": {
+                        "lat": 27.5,
+                        "lon": 90.5
+                    }
+                },
+                "ip": "67.43.156.12",
+                "port": 443
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "dlp-BLOCK",
+                "category": [
+                    "network",
+                    "file"
+                ],
+                "id": "f64dcc3f-50fa-410a-b8e1-589894276cee_17c81f85-34f7-4bc5-aa4c-155571f484f6",
+                "kind": "event",
+                "original": "\"2022-02-15 12:05:45\",\"Real Time\",\"f64dcc3f-50fa-410a-b8e1-589894276cee_17c81f85-34f7-4bc5-aa4c-155571f484f6\",\"CRITICAL\",\"Network1\",\"\",\"first.xlsx\",\"Dropbox\",\"http://google.com\",\"BLOCK\",\"rule-1\",\"classification-2\",\"classifier-2.1\",\"text/html\",\"48\",\"abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab\", \"Confidential\",\"\",\"\",\"dlpprivateresource\",\"\",\"https\",\"67.43.156.12\",\"443\",\"8247177\"",
+                "provider": "Real Time",
+                "severity": 4,
+                "type": [
+                    "denied",
+                    "connection",
+                    "info"
+                ]
+            },
+            "file": {
+                "hash": {
+                    "sha256": "abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab"
+                },
+                "mime_type": "text/html",
+                "name": "first.xlsx",
+                "size": 48
+            },
+            "log": {
+                "file": {
+                    "path": "/test/path/dlplogs"
+                }
+            },
+            "network": {
+                "application": "dropbox",
+                "name": "Network1",
+                "protocol": "https"
+            },
+            "observer": {
+                "product": "Umbrella",
+                "type": "dlp",
+                "vendor": "Cisco"
+            },
+            "organization": {
+                "id": "8247177"
+            },
+            "related": {
+                "hash": [
+                    "abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab"
+                ],
+                "ip": [
+                    "67.43.156.12"
+                ]
+            },
+            "rule": {
+                "name": "rule-1"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "url": {
+                "domain": "google.com",
+                "original": "http://google.com",
+                "path": "",
+                "scheme": "http"
+            }
         }
     ]
-}
+}

packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log

@@ -13,3 +13,4 @@
 "2023-05-05 12:50:00","Ca_redacted, Ch_redacted ([email protected])","Ca_redacted, Ch_redacted ([email protected]),5CG0310TQZ","192.168.1.79","89.160.20.128","Allowed","1 (A)","NOERROR","presence.gcc.teams.microsoft.com.","Software/Technology,Business Services,Allow List,Infrastructure and Content Delivery Networks,Online Meetings,Application,Cloud and Data Centers","AD Users","AD Users,Anyconnect Roaming Client","Allow List"
 "2023-05-05 12:40:01","G_redacted, Er_redacted R ([email protected])","G_redacted, Er_redacted R ([email protected]),Mega Corp,MXL952303K","10.245.149.68","81.2.69.144","Allowed","1 (A)","NOERROR","outlook.office365.com.","Software/Technology,Webmail,Business Services,Allow List,Organizational Email,Application,Web-based Email,Online Document Sharing and Collaboration","AD Users","AD Users,Networks,Anyconnect Roaming Client","Allow List"
 "2023-05-05 12:40:01","LastName, Tiredacted M (Ti) ([email protected])","LastName, Tiredacted M (Ti) ([email protected]),5CG0310TPJ","192.168.4.66","81.2.69.192","Allowed","1 (A)","NOERROR","outlook.office365.com.","Software/Technology,Webmail,Business Services,Allow List,Organizational Email,Application,Web-based Email,Online Document Sharing and Collaboration","AD Users","AD Users,Anyconnect Roaming Client","Allow List"
+"2024-09-11 18:46:00","Active Directory User ([[email protected]](mailto:[email protected]))","Active Directory User ([[email protected]](mailto:[email protected])),WIN11-SNG01-Example","192.168.4.66","81.2.69.192","Blocked","1 (A)","NOERROR","domain-visited.com.","Chat,Social Networking","AD Users","AD Users,Anyconnect Roaming Client","Social Networking","506165","","8234970"

packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json

@@ -1353,6 +1353,104 @@
                 "id": "[email protected]",
                 "name": "Tiredacted.LastName"
             }
+        },
+        {
+            "@timestamp": "2024-09-11T18:46:00.000Z",
+            "cisco": {
+                "umbrella": {
+                    "blocked_categories": [
+                        "Social Networking"
+                    ],
+                    "categories": [
+                        "Chat",
+                        "Social Networking"
+                    ],
+                    "identities": [
+                        "Active Directory User ([[email protected]](mailto:[email protected]))",
+                        "WIN11-SNG01-Example"
+                    ],
+                    "identity": "Active Directory User ([[email protected]](mailto:[email protected]))",
+                    "identity_types": [
+                        "AD Users",
+                        "Anyconnect Roaming Client"
+                    ],
+                    "policy_identity_type": "AD Users"
+                }
+            },
+            "dns": {
+                "question": {
+                    "name": "domain-visited.com",
+                    "registered_domain": "domain-visited.com",
+                    "top_level_domain": "com",
+                    "type": "1 (A)"
+                },
+                "response_code": "NOERROR",
+                "type": "query"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "dns-request-Blocked",
+                "category": [
+                    "network"
+                ],
+                "kind": "event",
+                "original": "\"2024-09-11 18:46:00\",\"Active Directory User ([[email protected]](mailto:[email protected]))\",\"Active Directory User ([[email protected]](mailto:[email protected])),WIN11-SNG01-Example\",\"192.168.4.66\",\"81.2.69.192\",\"Blocked\",\"1 (A)\",\"NOERROR\",\"domain-visited.com.\",\"Chat,Social Networking\",\"AD Users\",\"AD Users,Anyconnect Roaming Client\",\"Social Networking\",\"506165\",\"\",\"8234970\"",
+                "type": [
+                    "denied",
+                    "connection"
+                ]
+            },
+            "host": {
+                "name": "win11-sng01-example"
+            },
+            "log": {
+                "file": {
+                    "path": "/test/path/dnslogs"
+                }
+            },
+            "observer": {
+                "product": "Umbrella",
+                "type": "dns",
+                "vendor": "Cisco"
+            },
+            "organization": {
+                "id": "8234970"
+            },
+            "related": {
+                "hosts": [
+                    "win11-sng01-example",
+                    "domain-visited.com"
+                ],
+                "ip": [
+                    "192.168.4.66",
+                    "81.2.69.192"
+                ],
+                "user": [
+                    "adusername"
+                ]
+            },
+            "rule": {
+                "id": "506165"
+            },
+            "source": {
+                "address": "192.168.4.66",
+                "ip": "192.168.4.66",
+                "nat": {
+                    "ip": "81.2.69.192"
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "domain": "example.net",
+                "email": "[email protected]",
+                "full_name": "Active Directory User",
+                "id": "[email protected]",
+                "name": "adusername"
+            }
         }
     ]
-}
+}

packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-intrusionlogs.log

@@ -1 +1,2 @@
-"2022-04-12 16:14:09","Firewall Tunnel 1","Network Tunnels","1","16606","SERVER-ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt","1323","HIGH","Attempted User Privilege Gain","cve-2009-1016","TCP","12345","172.17.3.4","33010","67.43.156.12","443","Would Block"
+"2022-04-12 16:14:09","Firewall Tunnel 1","Network Tunnels","1","16606","SERVER-ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt","1323","HIGH","Attempted User Privilege Gain","cve-2009-1016","TCP","12345","172.17.3.4","33010","67.43.156.12","443","Would Block"
+"2024-09-11 23:17:13","Firewall Tunnel Name","Network Tunnels","1","16606","SERVER-ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt","50516","HIGH","Attempted User Privilege Gain","cve-2009-1016","TCP","12345","172.17.3.4","80","67.43.156.12","40762","Would Block","IDS","50516","S2C","21171","PROFILE","eu-central-2b","","\[]","DEN1","8151514","67.43.156.12","TRUE","FTD","12321321312",""