[cisco_ftd] Add Pasrsing for Some Extra Fields

[mohitjha-elastic]

Proposed Commit Message

cisco_ftd: add parsing for `EncryptPeerIP` and `VPN_Action` fields.

Previously, these fields were not handled in the pipeline.
This adds parsing logic to support `EncryptPeerIP` and `VPN_Action`, 
enabling their proper processing in the data flow.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/cisco_ftd directory.
Run the following command to run tests.
elastic-package test -v

Related issues

• Enhancements repo - 23222

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 4cf0605

cc @mohitjha-elastic

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

[jrmolin]

seems okay, but i don't see how the tcp moved to udp. please verify that

[jrmolin]

is this intentional?

[mohitjha-elastic]

elastic-package sometimes select a new sample event randomly and the order itself isn't deterministic hence the changes related to the sample events and readme is intentional.

[jrmolin]

please verify this is also correct -- i don't see evidence of it.

[jrmolin]

same as above

[taylor-swanson]

seems okay, but i don't see how the tcp moved to udp. please verify that

@jrmolin @mohitjha-elastic,

So I've noticed that elastic-package will sometimes select a new sample event. Could be that the logic to select which event to use changed, or the order itself isn't deterministic, but either way, it's usually not an issue. I haven't reviewed the changes yet, but I almost always ignore changes to the sample event.

[taylor-swanson]

LGTM

Regarding the sample event changes, seems like it just chose the UDP input one this time. Other field changes seem consistent with newer agent versions.

[elastic-vault-github-plugin-prod]

Package cisco_ftd - 3.9.0 containing this change is available at https://epr.elastic.co/package/cisco_ftd/3.9.0/