From c5f9f640e293a889caab38eb6794c4cc964bd710 Mon Sep 17 00:00:00 2001 From: robester0403 Date: Fri, 10 Jul 2026 08:41:29 -0400 Subject: [PATCH 1/2] fix: Change type for filesize from integer to long --- packages/cisco_ftd/changelog.yml | 5 + .../pipeline/test-security-file-malware.log | 1 + ...st-security-file-malware.log-expected.json | 127 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../data_stream/log/fields/fields.yml | 2 +- packages/cisco_ftd/docs/README.md | 2 +- packages/cisco_ftd/manifest.yml | 2 +- 7 files changed, 138 insertions(+), 5 deletions(-) diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml index 504978eb6db..e7699421161 100644 --- a/packages/cisco_ftd/changelog.yml +++ b/packages/cisco_ftd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.13.8" + changes: + - description: Convert FileSize to long instead of integer so large file sizes above the 32-bit integer limit no longer fail parsing for event.code. + type: bugfix + link: https://github.com/elastic/integrations/pull/00001 - version: "3.13.7" changes: - description: Add grok pattern to handle GRE tunnel teardown messages (302018) that lack source port. diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log index e86bfb6bc1f..33098981863 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log @@ -9,3 +9,4 @@ Aug 14 2019 15:09:43 siem-ftd %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100. 2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d 2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d <113>2021-08-25T14:55:13Z %FTD-1-430005: DeviceUUID: c20ef000-c4f3-11e9-9b57-c6a90fda2892, InstanceID: 3, FirstPacketSecond: 2021-08-25T14:55:06Z, ConnectionID: 44560, SrcIP: 172.16.0.2, DstIP: 89.160.20.156, SrcPort: 65000, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2e05c13906b7435e80b6128c2bf86ba0644b0e6205efb96f3c14e52afd75f1c9, SHA_Disposition: Unknown, SperoDisposition: Spero detection not performed on file, ThreatName: Invalid ID, FileName: 34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab, FileType: MSCAB, FileSize: 7179, ApplicationProtocol: HTTP, Client: Windows Update, WebApplication: Microsoft Update, User: Not Found, FilePolicy: FILE POLICY, URI: http://download.windowsupdate.com/d/msdownload/update/others/2021/08/34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab, IngressVRF: Global, EgressVRF: Global +<166>2020-01-01T00:00:00Z siem-ftd : %FTD-6-430005: DeviceUUID: 11111111-1111-1111-1111-111111111111, InstanceID: 1, FirstPacketSecond: 2020-01-01T00:00:00Z, ConnectionID: 1, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 12345, DstPort: 445, Protocol: tcp, FileDirection: Upload, FileAction: Malware Cloud Lookup, FileSHA256: 0000000000000000000000000000000000000000000000000000000000000000, SHA_Disposition: Unknown, SperoDisposition: Spero detection not performed on file, FileName: example.pdf, FileType: PDF, FileSize: 5000000000, ApplicationProtocol: NetBIOS-ssn (SMB), Client: NetBIOS-ssn (SMB) client, WebApplication: SMBv3-unencrypted, User: Not Found, FilePolicy: file-policy, FileSandboxStatus: File Size Is Too Large, IngressVRF: Global, EgressVRF: Global diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json index 82a67053260..df7409e62f8 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json @@ -1241,6 +1241,133 @@ "path": "/d/msdownload/update/others/2021/08/34990729_2caabbb9f7956d24f8b6124641b1df788e3ea127.cab", "scheme": "http" } + }, + { + "@timestamp": "2020-01-01T00:00:00.000Z", + "cisco": { + "ftd": { + "rule_name": "file-policy", + "security_event": { + "application_protocol": "NetBIOS-ssn (SMB)", + "client": "NetBIOS-ssn (SMB) client", + "dst_ip": "81.2.69.144", + "dst_port": 445, + "file_action": "Malware Cloud Lookup", + "file_direction": "Upload", + "file_name": "example.pdf", + "file_policy": "file-policy", + "file_sandbox_status": "File Size Is Too Large", + "file_sha256": "0000000000000000000000000000000000000000000000000000000000000000", + "file_size": 5000000000, + "file_type": "PDF", + "first_packet_second": "2020-01-01T00:00:00Z", + "protocol": "tcp", + "sha_disposition": "Unknown", + "spero_disposition": "Spero detection not performed on file", + "src_ip": "10.0.1.20", + "src_port": 12345, + "user": "Not Found", + "web_application": "SMBv3-unencrypted" + } + } + }, + "destination": { + "address": "81.2.69.144", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 445 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "malware-detected", + "category": [ + "malware", + "file" + ], + "code": "430005", + "kind": "event", + "original": "<166>2020-01-01T00:00:00Z siem-ftd : %FTD-6-430005: DeviceUUID: 11111111-1111-1111-1111-111111111111, InstanceID: 1, FirstPacketSecond: 2020-01-01T00:00:00Z, ConnectionID: 1, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 12345, DstPort: 445, Protocol: tcp, FileDirection: Upload, FileAction: Malware Cloud Lookup, FileSHA256: 0000000000000000000000000000000000000000000000000000000000000000, SHA_Disposition: Unknown, SperoDisposition: Spero detection not performed on file, FileName: example.pdf, FileType: PDF, FileSize: 5000000000, ApplicationProtocol: NetBIOS-ssn (SMB), Client: NetBIOS-ssn (SMB) client, WebApplication: SMBv3-unencrypted, User: Not Found, FilePolicy: file-policy, FileSandboxStatus: File Size Is Too Large, IngressVRF: Global, EgressVRF: Global", + "severity": 6, + "start": "2020-01-01T00:00:00Z", + "timezone": "UTC", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha256": "0000000000000000000000000000000000000000000000000000000000000000" + }, + "name": "example.pdf", + "size": 5000000000 + }, + "host": { + "hostname": "siem-ftd" + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 20 + }, + "priority": 166, + "severity": { + "code": 6 + } + } + }, + "network": { + "application": [ + "netbios-ssn (smb) client", + "smbv3-unencrypted" + ], + "community_id": "1:l3jUCa5bRtPCm0fjhie3Npr4Us8=", + "iana_number": "6", + "protocol": "netbios-ssn (smb)", + "transport": "tcp" + }, + "observer": { + "hostname": "siem-ftd", + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hash": [ + "0000000000000000000000000000000000000000000000000000000000000000" + ], + "hosts": [ + "siem-ftd" + ], + "ip": [ + "10.0.1.20", + "81.2.69.144" + ] + }, + "rule": { + "ruleset": "file-policy" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 12345 + }, + "tags": [ + "preserve_original_event" + ] } ] } diff --git a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml index d84b6424ce0..5fccf9ab510 100644 --- a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -1887,7 +1887,7 @@ processors: tag: convert-security_event_file_size field: _temp_.cisco.security_event.file_size target_field: _temp_.cisco.security_event.file_size - type: integer + type: long - date: field: _temp_.cisco.security_event.first_packet_second tag: date_first_packet_second @@ -2415,7 +2415,7 @@ processors: - convert: tag: convert_file_size_5671cd5a field: file.size - type: integer + type: long ignore_failure: true - convert: tag: convert_network_iana_number_7aa7bdd4 diff --git a/packages/cisco_ftd/data_stream/log/fields/fields.yml b/packages/cisco_ftd/data_stream/log/fields/fields.yml index 823653ebfa1..27a3dce5266 100644 --- a/packages/cisco_ftd/data_stream/log/fields/fields.yml +++ b/packages/cisco_ftd/data_stream/log/fields/fields.yml @@ -231,7 +231,7 @@ - name: file_sha256 type: keyword - name: file_size - type: integer + type: long - name: file_type type: keyword - name: first_packet_second diff --git a/packages/cisco_ftd/docs/README.md b/packages/cisco_ftd/docs/README.md index 5d80bc0b3b9..13affc7357e 100644 --- a/packages/cisco_ftd/docs/README.md +++ b/packages/cisco_ftd/docs/README.md @@ -192,7 +192,7 @@ The `log` data stream collects logs from Cisco Firepower Threat Defense (FTD) de | cisco.ftd.security_event.file_policy | | keyword | | cisco.ftd.security_event.file_sandbox_status | | keyword | | cisco.ftd.security_event.file_sha256 | | keyword | -| cisco.ftd.security_event.file_size | | integer | +| cisco.ftd.security_event.file_size | | long | | cisco.ftd.security_event.file_type | | keyword | | cisco.ftd.security_event.first_packet_second | | date | | cisco.ftd.security_event.http_referer | | keyword | diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml index 717c7b270be..317acc6384b 100644 --- a/packages/cisco_ftd/manifest.yml +++ b/packages/cisco_ftd/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_ftd title: Cisco FTD -version: "3.13.7" +version: "3.13.8" description: Collect logs from Cisco FTD with Elastic Agent. type: integration categories: From cf4e5a54f0a5e9ec6f9164c076f4006519c12087 Mon Sep 17 00:00:00 2001 From: robester0403 Date: Fri, 10 Jul 2026 08:48:16 -0400 Subject: [PATCH 2/2] chore: Update pr link address --- packages/cisco_ftd/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml index e7699421161..0b68ff74bab 100644 --- a/packages/cisco_ftd/changelog.yml +++ b/packages/cisco_ftd/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Convert FileSize to long instead of integer so large file sizes above the 32-bit integer limit no longer fail parsing for event.code. type: bugfix - link: https://github.com/elastic/integrations/pull/00001 + link: https://github.com/elastic/integrations/pull/20083 - version: "3.13.7" changes: - description: Add grok pattern to handle GRE tunnel teardown messages (302018) that lack source port.