[cisco_ftd]: parse additional fields related to SGT/EGT #15204
Description
Integration Name
Cisco FTD [cisco_ftd]
Dataset Name
cisco_ftd.log
Integration Version
3.10.2
Agent Version
8.19.2
OS Version and Architecture
n/a
User Goal
Summary
The cisco_ftd integration is not correctly parsing six specific fields related to Security Group Tag (SGT) and Endpoint Group (EPG) information from the event.original field. This prevents the SGT/EPG data from being parsed and queried
Integration details
- Integration:
cisco_ftd - Version: 3.10.2 (current latest version)
- Documentation: https://www.elastic.co/docs/reference/integrations/cisco_ftd
Features description
The cisco_ftd integration is not parsing the following six fields from Cisco FTD syslog messages. This information is present in the event.original field but is not being mapped to structured fields.
Fields of interest
The six fields not being parsed are:
SourceSecurityGroup: e.g., SGT_ALG_X_Y_Z- SourceSecurityGroupTag: e.g., 2003
SourceSecurityGroupType: e.g., Session DirectoryDestinationIP_DynamicAttribute: e.g., APIC_X-LERE-03_YY-ALGV-TEST_EPG-ADS-P-DIRDestinationSecurityGroup: Value can be a String or NumberDestinationSecurityGroupTag: Value can be a String or Number
Example of log events, captured from ingested event.original
2025-09-01T12:00:00Z gy-t103ret : %FTD-6-430003: EventPriority: Low, DeviceUUID: d697c8ca-9fe4-43e6-aeb5-33e277e5ffea, InstanceID: 11, FirstPacketSecond: 2025-09-01T12:35:00Z, ConnectionID: 39416, AccessControlRuleAction: Trust, SrcIP: 172.1.1.2, DstIP: 10.1.2.3, SrcPort: 56799, DstPort: 53, Protocol: udp, IngressInterface: XXX-ALGV_DEFAULT_YYY, EgressInterface: ALGV-PI002, SourceSecurityGroup: SGT_ALG_X_Y_Z, SourceSecurityGroupTag: 2003, SourceSecurityGroupType: Session Directory, DestinationIP_DynamicAttribute: APIC_X-LERE-03_YY-ALGV-TEST_EPG-ADS-P-DIR, IngressVRF: ALGV-TA-T, EgressVRF: ALGV-TA-T, Endpoint Profile: Workstation:Microsoft-Workstation:Windows11-Workstation, ACPolicy: ACP-Access, AccessControlRuleName: ALGV-AC_ALGV-DC XY-Z, Prefilter Policy: Default Prefilter Policy, User: Not Found, AuthenticationSource: ISE, Client: DNS, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 31, ResponderB<166>2025-09-01T12:35:14Z gy-t103ret : %FTD-6-302016: Teardown UDP connection 2913341217 for ALGVHUB-RESTRICTED005:172.1.1.2/56799 to ALGV-PI002:10.1.2.3/53 duration 0:00:00 bytes 269
Or
"2025-09-01T14:00:00Z gy-t103ret : %FTD-6-430002: EventPriority: Low, DeviceUUID: d697c8ca-9fe4-43e6-aeb5-33e277e5ffea, InstanceID: 4, FirstPacketSecond: 2025-09-01T14:00:03Z, ConnectionID: 36584, AccessControlRuleAction: Block, SrcIP: 172.1.1.2, DstIP: 10.1.2.3, SrcPort: 56799, DstPort: 22, Protocol: tcp, IngressInterface: INT-XX-ALGV, EgressInterface: INT-XX_DEFAULT_YY, SourceSecurityGroup: 2005, SourceSecurityGroupTag: 2005, DestinationSecurityGroup: 9, DestinationSecurityGroupTag: 9, SourceSecurityGroupType: Session Directory, DestinationSecurityGroupType: SXP, IngressVRF: Global, EgressVRF: Global, Endpoint Profile: Invalid ID, ACPolicy: ACP-Management, AccessControlRuleName: Default Deny, Prefilter Policy: Management Prefilter Policy, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 70, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, ClientAppDetector: AppID"
Expected Behavior
The cisco_ftd integration should be updated to correctly parse the six fields listed above, extracting their values into dedicated fields for better searchability and analysis within Elastic.
Supporting documentation
Cisco Firepower Threat Defense Syslog Messages: https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/fptd_syslog_guide/security-event-syslog-messages.html#id_87692
Existing Features
The existing Cisco FTD integration fis not parsing six specific fields related to Security Group Tag (SGT) and Endpoint Group (EPG) information. This data, although present in the event.original field of the log messages, is not being extracted and mapped to structured fields, which is essential for effective searching and analysis within Elastic.
What did you see?
See above. event.original has been anonymized for security purposed.
Anything else?
No response