From 2cbb7f98afa6f07b5d5d7336b39e207f67fd8920 Mon Sep 17 00:00:00 2001
From: Doug W <55553826+dwhyrock@users.noreply.github.com>
Date: Wed, 27 Nov 2024 12:23:55 -0500
Subject: [PATCH] [cisco_asa] Handle another variation of message 113040
 (#11884)

* Handle another variation of 113040

* Updating changelog and manifest

* Add expected logs

* using two dissect processors

* updating tag name
---
 packages/cisco_asa/changelog.yml              |  5 ++
 ...106023-iface-with-prefix.log-expected.json |  2 +-
 .../pipeline/test-anyconnect-messages.log     |  1 +
 ...test-anyconnect-messages.log-expected.json | 72 +++++++++++++++++++
 .../elasticsearch/ingest_pipeline/default.yml | 10 ++-
 packages/cisco_asa/manifest.yml               |  2 +-
 6 files changed, 88 insertions(+), 4 deletions(-)

diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml
index 0c704a0c7c7..05443248fd7 100644
--- a/packages/cisco_asa/changelog.yml
+++ b/packages/cisco_asa/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.38.3"
+  changes:
+    - description: "Handles another variation of log message type 113040 that includes a Group and Terminating message."
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11884
 - version: "2.38.2"
   changes:
     - description: "Add a check before a processor that consistently fails when invalid data transits the integration."
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-106023-iface-with-prefix.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-106023-iface-with-prefix.log-expected.json
index aff311ec4fc..e4f6a062614 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-106023-iface-with-prefix.log-expected.json
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-106023-iface-with-prefix.log-expected.json
@@ -673,4 +673,4 @@
             ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log
index 9094ab1e830..c4e4142f63d 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log
@@ -13,3 +13,4 @@ Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-113040: Terminating the VPN
 <166>Jun 22 2022 13:29:11 single : %ASA-6-113039: Group <GroupPolicy_Remote-VPN> User <user-1> IP <81.2.69.144> AnyConnect parent session started.
 <166>Jun 22 2022 13:29:11 single : %ASA-6-113039: Group <GroupPolicy_Remote-VPN> User <first.o'last@example.com> IP <81.2.69.144> AnyConnect parent session started.
 <166>Jun 22 2022 13:29:11 single : %ASA-6-113039: Group <GroupPolicy Remote-VPN> User <first.o'last@example.com> IP <81.2.69.144> AnyConnect parent session started.
+<164>Nov 18 2024 12:28:57 asa5525x-01 : %ASA-4-113040: Group <Tunnel-Group-Name> User <vpnusername> IP <10.1.2.3> Terminating the VPN connection attempt from <Group-Attempted>. Reason: This connection is group locked to <Group-Locked>.
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log-expected.json
index f78f5a66201..c7b4960d46f 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log-expected.json
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log-expected.json
@@ -1085,6 +1085,78 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2024-11-18T12:28:57.000Z",
+            "cisco": {
+                "asa": {
+                    "tunnel_group": "Group-Attempted"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "client-vpn-error",
+                "category": [
+                    "network"
+                ],
+                "code": "113040",
+                "kind": "event",
+                "original": "<164>Nov 18 2024 12:28:57 asa5525x-01 : %ASA-4-113040: Group <Tunnel-Group-Name> User <vpnusername> IP <10.1.2.3> Terminating the VPN connection attempt from <Group-Attempted>. Reason: This connection is group locked to <Group-Locked>.",
+                "outcome": "failure",
+                "severity": 4,
+                "timezone": "UTC",
+                "type": [
+                    "connection",
+                    "denied"
+                ]
+            },
+            "host": {
+                "hostname": "asa5525x-01"
+            },
+            "log": {
+                "level": "warning",
+                "syslog": {
+                    "facility": {
+                        "code": 20
+                    },
+                    "priority": 164,
+                    "severity": {
+                        "code": 4
+                    }
+                }
+            },
+            "observer": {
+                "hostname": "asa5525x-01",
+                "product": "asa",
+                "type": "firewall",
+                "vendor": "Cisco"
+            },
+            "related": {
+                "hosts": [
+                    "asa5525x-01"
+                ],
+                "ip": [
+                    "10.1.2.3"
+                ],
+                "user": [
+                    "vpnusername"
+                ]
+            },
+            "source": {
+                "address": "10.1.2.3",
+                "ip": "10.1.2.3",
+                "user": {
+                    "group": {
+                        "name": "Tunnel-Group-Name"
+                    },
+                    "name": "vpnusername"
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
         }
     ]
 }
diff --git a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 3db580f1e9f..867d39ab85e 100644
--- a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -455,8 +455,14 @@ processors:
       description: "113023"
       pattern: "AAA Marking %{network.protocol} server %{destination.address} in aaa-server group %{}"
   - dissect:
-      if: "ctx._temp_.cisco.message_id == '113040'"
-      tag: parse_113040
+      if: "ctx._temp_.cisco.message_id == '113040' && ctx.message.startsWith('Group')"
+      tag: parse_113040_group
+      field: "message"
+      description: "113040"
+      pattern: "Group <%{source.user.group.name}> User <%{source.user.name}> IP <%{source.address}> Terminating the VPN connection attempt from <%{_temp_.cisco.tunnel_group}>. Reason: This connection is group locked to %{}."
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '113040' && !ctx.message.startsWith('Group')"
+      tag: parse_113040_no_group
       field: "message"
       description: "113040"
       pattern: "Terminating the VPN connection attempt from %{source.user.group.name}. Reason: This connection is group locked to %{}."
diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml
index 1d64456a56c..2fbed52cff9 100644
--- a/packages/cisco_asa/manifest.yml
+++ b/packages/cisco_asa/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: cisco_asa
 title: Cisco ASA
-version: "2.38.2"
+version: "2.38.3"
 description: Collect logs from Cisco ASA with Elastic Agent.
 type: integration
 categories: