Skip to content

Fix parsing error in CiscoSecureEmail V15#9474

Merged
pkoutsovasilis merged 11 commits intomainfrom
pkoutsovasilis/fix_cisco_secure_email_gateway
Apr 3, 2024
Merged

Fix parsing error in CiscoSecureEmail V15#9474
pkoutsovasilis merged 11 commits intomainfrom
pkoutsovasilis/fix_cisco_secure_email_gateway

Conversation

@pkoutsovasilis
Copy link
Contributor

@pkoutsovasilis pkoutsovasilis commented Mar 29, 2024
edited
Loading

Proposed commit message

This PR refactors the extraction and parsing of the fields of a consolidated event for the cisco_secure_email_gateway integration. Specifically the issue is that the order of the keys (key1=val1 key2=val) defined here is not guaranteed. Thus this PR revisits this integration and makes it parsing all the possible fields without relying in order of appearance. The fixes are present even for pre-existing testing logs like missing verdicts here, missing in tls info here, missing subject here

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

N/A

How to test this PR locally

Related issues

Screenshots

N/A

@pkoutsovasilis pkoutsovasilis force-pushed the pkoutsovasilis/fix_cisco_secure_email_gateway branch from 15df2e2 to 923b581 Compare March 29, 2024 16:09
@pkoutsovasilis pkoutsovasilis marked this pull request as ready for review March 29, 2024 16:11
@pkoutsovasilis pkoutsovasilis requested a review from a team as a code owner March 29, 2024 16:11
@elasticmachine
Copy link

elasticmachine commented Mar 29, 2024

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@pkoutsovasilis pkoutsovasilis force-pushed the pkoutsovasilis/fix_cisco_secure_email_gateway branch from 0e36acd to 5405909 Compare April 1, 2024 14:35
@narph narph requested a review from a team April 2, 2024 14:52
@narph
Copy link
Contributor

narph commented Apr 2, 2024

@elastic/security-service-integrations can you help with a review here?

efd6
efd6 reviewed Apr 2, 2024
View reviewed changes
efd6
efd6 approved these changes Apr 2, 2024
View reviewed changes
...o_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log
Comment on lines +14 to +15
<14>Jul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4FEF3A4372664BCCB404-20EE1767D434 ESAMID=786324 ESAICID=35635425 ESADCID=970897 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAFriendlyFrom=Beaches <playas@example.com> ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 14:42:34 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=westinghouse-thoreau\\=example.com@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=NZ ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='<490b2a15fa4742331779cdaa4e@example.com>' ESAMsgSize=20668 ESAOFVerdict=NEGATIVE duser=thoreau@example.com ESAHeloDomain=example.com ESAHeloIP=89.160.20.112 ESAReplyTo=lane@example.com cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}} sourceHostName=example.com sourceAddress=89.160.20.112 msg="Totally not suspicious email subject" ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH
<14>Jul 04 06:21:54 test.hostname.co consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4FEF3A4372664BCCB404-20EE1767D434 ESAMID=786324 ESAICID=35635425 ESADCID=970897 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAFriendlyFrom=Beaches <playas@example.com> ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 14:42:34 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=westinghouse-thoreau\\=example.com@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=NZ ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='<490b2a15fa4742331779cdaa4e@example.com>' ESAMsgSize=20668 ESAOFVerdict=NEGATIVE duser=thoreau@example.com ESAHeloDomain=example.com ESAHeloIP=89.160.20.112 ESAReplyTo=lane@example.com cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}} sourceHostName=example.com sourceAddress=89.160.20.112 msg="Totally not suspicious email subject" ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH
Copy link
Contributor

@efd6 efd6 Apr 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For other reviewers, the escaping that is removed here was incorrectly introduced in #6879.

@elasticmachine
Copy link

elasticmachine commented Apr 3, 2024

💚 Build Succeeded

History

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Apr 3, 2024

Quality Gate passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
100.0% 100.0% Coverage on New Code
0.0% 0.0% Duplication on New Code

See analysis details on SonarQube

@pkoutsovasilis pkoutsovasilis merged commit 09ef12c into main Apr 3, 2024
@pkoutsovasilis pkoutsovasilis deleted the pkoutsovasilis/fix_cisco_secure_email_gateway branch April 3, 2024 13:30
@elasticmachine
Copy link

elasticmachine commented Apr 3, 2024

Package cisco_secure_email_gateway - 1.23.1 containing this change is available at https://epr.elastic.co/search?package=cisco_secure_email_gateway

@andrewkroh andrewkroh added the Integration:cisco_secure_email_gateway Cisco Secure Email Gateway label Jul 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bhapas bhapas bhapas left review comments

@efd6 efd6 efd6 approved these changes

+1 more reviewer

@aleksmaus aleksmaus aleksmaus approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Integration:cisco_secure_email_gateway Cisco Secure Email Gateway

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@pkoutsovasilis @elasticmachine @narph @aleksmaus @efd6 @bhapas @andrewkroh