Fix Cisco ASA and FTD parsing of unexpected domain names (#14035)

This patch makes the Cisco ASA and FTD ingest pipeline handle the case
where a domain name is found for a field where an IP is expected
according to the documentation.

To do so it follows ECS guidelines, setting .address to be the raw value
and .ip or .domain from it, depending if it's a valid IP address or not.

Fixes #14034

Author: adriansr

CHANGELOG.next.asciidoc

@@ -166,6 +166,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix merging of fields specified in global scope with fields specified under an input's scope. {issue}3628[3628] {pull}13909[13909]
 - Fix delay in enforcing close_renamed and close_removed options. {issue}13488[13488] {pull}13907[13907]
 - Fix missing netflow fields in index template. {issue}13768[13768] {pull}13914[13914]
+- Fix cisco module's asa and ftd filesets parsing of domain names where an IP address is expected. {issue}14034[14034]
 
 *Heartbeat*
 

filebeat/docs/modules/cisco.asciidoc

@@ -124,7 +124,7 @@ Mappings for Intrusion events fields:
 |====================================
 | FTD Field | Mapped fields
 | ApplicationProtocol | network.protocol
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | EgressInterface | cisco.ftd.destination_interface
 | GID | service.id
@@ -134,7 +134,7 @@ Mappings for Intrusion events fields:
 | IntrusionPolicy | cisco.ftd.rule_name
 | Message | message
 | Protocol | network.transport
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | User | user.id, user.name
 | WebApplication | network.application
@@ -152,7 +152,7 @@ Mappings for Connection and Security Intelligence events fields:
 | DNSQuery | dns.question.name
 | DNSRecordType | dns.question.type
 | DNSResponseType | dns.response_code
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | EgressInterface | cisco.ftd.destination_interface
 | HTTPReferer | http.request.referrer
@@ -167,13 +167,13 @@ Mappings for Connection and Security Intelligence events fields:
 | ResponderPackets | destination.packets
 | SSLActualAction | event.outcome
 | SSLServerName | server.domain
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | URL | url.original
 | User | user.name
 | UserAgent | user_agent.original
 | WebApplication | network.application
-| originalClientSrcIP | client.ip
+| originalClientSrcIP | client.address
 |====================================
 
 Mappings for File and Malware events fields:
@@ -184,15 +184,15 @@ Mappings for File and Malware events fields:
 | ArchiveFileName | file.name
 | ArchiveSHA256 | file.hash.sha256
 | Client | network.application
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | FileName | file.name
 | FilePolicy | cisco.ftd.rule_name
 | FileSHA256 | file.hash.sha256
 | FileSize | file.size
 | FirstPacketSecond | event.start
 | Protocol | network.transport
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | URI | url.original
 | User | user.name

x-pack/filebeat/module/cisco/_meta/docs.asciidoc

@@ -119,7 +119,7 @@ Mappings for Intrusion events fields:
 |====================================
 | FTD Field | Mapped fields
 | ApplicationProtocol | network.protocol
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | EgressInterface | cisco.ftd.destination_interface
 | GID | service.id
@@ -129,7 +129,7 @@ Mappings for Intrusion events fields:
 | IntrusionPolicy | cisco.ftd.rule_name
 | Message | message
 | Protocol | network.transport
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | User | user.id, user.name
 | WebApplication | network.application
@@ -147,7 +147,7 @@ Mappings for Connection and Security Intelligence events fields:
 | DNSQuery | dns.question.name
 | DNSRecordType | dns.question.type
 | DNSResponseType | dns.response_code
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | EgressInterface | cisco.ftd.destination_interface
 | HTTPReferer | http.request.referrer
@@ -162,13 +162,13 @@ Mappings for Connection and Security Intelligence events fields:
 | ResponderPackets | destination.packets
 | SSLActualAction | event.outcome
 | SSLServerName | server.domain
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | URL | url.original
 | User | user.name
 | UserAgent | user_agent.original
 | WebApplication | network.application
-| originalClientSrcIP | client.ip
+| originalClientSrcIP | client.address
 |====================================
 
 Mappings for File and Malware events fields:
@@ -179,15 +179,15 @@ Mappings for File and Malware events fields:
 | ArchiveFileName | file.name
 | ArchiveSHA256 | file.hash.sha256
 | Client | network.application
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | FileName | file.name
 | FilePolicy | cisco.ftd.rule_name
 | FileSHA256 | file.hash.sha256
 | FileSize | file.size
 | FirstPacketSecond | event.start
 | Protocol | network.transport
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | URI | url.original
 | User | user.name