diff --git a/packages/fireeye/changelog.yml b/packages/fireeye/changelog.yml index d07c1548a2e..d0ca6734e76 100644 --- a/packages/fireeye/changelog.yml +++ b/packages/fireeye/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.2.1" + changes: + - description: Fix field mappings for `dns.id` and `network.iana_number` + type: enhancement + link: https://github.com/elastic/integrations/pull/2892 - version: "1.2.0" changes: - description: Update to ECS 8.0 diff --git a/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json b/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json index 780a7fa0934..82d2fda1aeb 100644 --- a/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json +++ b/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json @@ -1,415 +1,395 @@ { "expected": [ { - "observer": { - "product": "NX", - "vendor": "Fireeye" - }, "@timestamp": "2020-09-22T08:34:44.991Z", + "destination": { + "address": "ff02:0000:0000:0000:0000:0000:0000:0001", + "bytes": 0, + "ip": "ff02:0000:0000:0000:0000:0000:0000:0001", + "packets": 0, + "port": 10001 + }, "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "fe80:0000:0000:0000:feec:daff:fe31:b706", - "ff02:0000:0000:0000:0000:0000:0000:0001" - ] + "event": { + "ingested": "2022-03-26T18:20:15.891947350Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", + "type": "flow" }, "fireeye": { "nx": { - "flow_id": 721570461162990, "flow": { - "reason": "timeout", + "age": 0, + "alerted": false, "endtime": "2020-09-22T08:34:12.761348+0000", + "reason": "timeout", "starttime": "2020-09-22T08:34:12.761326+0000", - "state": "new", - "age": 0, - "alerted": false - } + "state": "new" + }, + "flow_id": 721570461162990 } }, - "destination": { - "address": "ff02:0000:0000:0000:0000:0000:0000:0001", - "port": 10001, - "bytes": 0, - "packets": 0, - "ip": "ff02:0000:0000:0000:0000:0000:0000:0001" + "network": { + "community_id": "1:McNAQcsUcKZYOHHZYm0sD8JiBLc=", + "iana_number": "17", + "protocol": "failed", + "transport": "udp" + }, + "observer": { + "product": "NX", + "vendor": "Fireeye" + }, + "related": { + "ip": [ + "fe80:0000:0000:0000:feec:daff:fe31:b706", + "ff02:0000:0000:0000:0000:0000:0000:0001" + ] }, "source": { "address": "fe80:0000:0000:0000:feec:daff:fe31:b706", - "port": 45944, "bytes": 1680, + "ip": "fe80:0000:0000:0000:feec:daff:fe31:b706", "packets": 8, - "ip": "fe80:0000:0000:0000:feec:daff:fe31:b706" - }, - "event": { - "type": "flow", - "ingested": "2021-12-31T02:12:53.720974214Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + "port": 45944 }, "tags": [ "preserve_original_event" - ], - "network": { - "protocol": "failed", - "community_id": "1:McNAQcsUcKZYOHHZYm0sD8JiBLc=", - "transport": "udp", - "iana_number": 17 - } + ] }, { - "observer": { - "product": "NX", - "vendor": "Fireeye" - }, "@timestamp": "2020-09-22T08:34:44.993Z", + "destination": { + "address": "67.43.156.14", + "as": { + "number": 35908 + }, + "bytes": 90, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "packets": 1, + "port": 123 + }, "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "192.168.1.15", - "67.43.156.14" - ] + "event": { + "ingested": "2022-03-26T18:20:15.891951511Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993228+0000\\\",\\\"flow_id\\\":175370876476591,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"src_port\\\":39808,\\\"dest_ip\\\":\\\"67.43.156.14\\\",\\\"dest_port\\\":123,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":1,\\\"pkts_toclient\\\":1,\\\"bytes_toserver\\\":90,\\\"bytes_toclient\\\":90,\\\"start\\\":\\\"2020-09-22T08:33:15.122031+0000\\\",\\\"end\\\":\\\"2020-09-22T08:33:15.193693+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":475,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", + "type": "flow" }, "fireeye": { "nx": { - "flow_id": 175370876476591, "flow": { - "reason": "shutdown", + "age": 0, + "alerted": false, "endtime": "2020-09-22T08:33:15.193693+0000", + "reason": "shutdown", "starttime": "2020-09-22T08:33:15.122031+0000", - "state": "established", - "age": 0, - "alerted": false - } + "state": "established" + }, + "flow_id": 175370876476591 } }, - "destination": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "address": "67.43.156.14", - "port": 123, - "bytes": 90, - "ip": "67.43.156.14", - "packets": 1 + "network": { + "community_id": "1:RXq9OIqNb6ISMqP+R+uVnsOCMAc=", + "iana_number": "17", + "protocol": "failed", + "transport": "udp" + }, + "observer": { + "product": "NX", + "vendor": "Fireeye" + }, + "related": { + "ip": [ + "192.168.1.15", + "67.43.156.14" + ] }, "source": { "address": "192.168.1.15", - "port": 39808, "bytes": 90, + "ip": "192.168.1.15", "packets": 1, - "ip": "192.168.1.15" - }, - "event": { - "type": "flow", - "ingested": "2021-12-31T02:12:53.720977014Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993228+0000\\\",\\\"flow_id\\\":175370876476591,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"src_port\\\":39808,\\\"dest_ip\\\":\\\"67.43.156.14\\\",\\\"dest_port\\\":123,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":1,\\\"pkts_toclient\\\":1,\\\"bytes_toserver\\\":90,\\\"bytes_toclient\\\":90,\\\"start\\\":\\\"2020-09-22T08:33:15.122031+0000\\\",\\\"end\\\":\\\"2020-09-22T08:33:15.193693+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":475,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + "port": 39808 }, "tags": [ "preserve_original_event" - ], - "network": { - "protocol": "failed", - "community_id": "1:RXq9OIqNb6ISMqP+R+uVnsOCMAc=", - "transport": "udp", - "iana_number": 17 - } + ] }, { - "observer": { - "product": "NX", - "vendor": "Fireeye" - }, "@timestamp": "2020-09-22T08:34:44.993Z", + "destination": { + "address": "ff02:0000:0000:0000:0000:0000:0000:0001", + "bytes": 0, + "ip": "ff02:0000:0000:0000:0000:0000:0000:0001", + "packets": 0, + "port": 10001 + }, "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "fe80:0000:0000:0000:feec:daff:fe31:b706", - "ff02:0000:0000:0000:0000:0000:0000:0001" - ] + "event": { + "ingested": "2022-03-26T18:20:15.891953408Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993227+0000\\\",\\\"flow_id\\\":1285126005631046,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":44535,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:22.763974+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:22.764073+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":522,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", + "type": "flow" }, "fireeye": { "nx": { - "flow_id": 1285126005631046, "flow": { - "reason": "shutdown", + "age": 0, + "alerted": false, "endtime": "2020-09-22T08:34:22.764073+0000", + "reason": "shutdown", "starttime": "2020-09-22T08:34:22.763974+0000", - "state": "new", - "age": 0, - "alerted": false - } + "state": "new" + }, + "flow_id": 1285126005631046 } }, - "destination": { - "address": "ff02:0000:0000:0000:0000:0000:0000:0001", - "port": 10001, - "bytes": 0, - "packets": 0, - "ip": "ff02:0000:0000:0000:0000:0000:0000:0001" + "network": { + "community_id": "1:99eFhjuGzHgOvXPRAgULIELViPs=", + "iana_number": "17", + "protocol": "failed", + "transport": "udp" + }, + "observer": { + "product": "NX", + "vendor": "Fireeye" + }, + "related": { + "ip": [ + "fe80:0000:0000:0000:feec:daff:fe31:b706", + "ff02:0000:0000:0000:0000:0000:0000:0001" + ] }, "source": { "address": "fe80:0000:0000:0000:feec:daff:fe31:b706", - "port": 44535, "bytes": 1680, + "ip": "fe80:0000:0000:0000:feec:daff:fe31:b706", "packets": 8, - "ip": "fe80:0000:0000:0000:feec:daff:fe31:b706" - }, - "event": { - "type": "flow", - "ingested": "2021-12-31T02:12:53.720978150Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993227+0000\\\",\\\"flow_id\\\":1285126005631046,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":44535,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:22.763974+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:22.764073+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":522,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + "port": 44535 }, "tags": [ "preserve_original_event" - ], - "network": { - "protocol": "failed", - "community_id": "1:99eFhjuGzHgOvXPRAgULIELViPs=", - "transport": "udp", - "iana_number": 17 - } + ] }, { - "observer": { - "product": "NX", - "vendor": "Fireeye" - }, "@timestamp": "2020-09-22T08:34:44.993Z", + "destination": { + "address": "67.43.156.15", + "as": { + "number": 35908 + }, + "bytes": 59808, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "packets": 544, + "port": 5938 + }, "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "192.168.1.150", - "67.43.156.15" - ] + "event": { + "ingested": "2022-03-26T18:20:15.891955258Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993286+0000\\\",\\\"flow_id\\\":222460015300681,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.150\\\",\\\"src_port\\\":51082,\\\"dest_ip\\\":\\\"67.43.156.15\\\",\\\"dest_port\\\":5938,\\\"proto\\\":\\\"TCP\\\",\\\"proto_number\\\":6,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":799,\\\"pkts_toclient\\\":544,\\\"bytes_toserver\\\":69825,\\\"bytes_toclient\\\":59808,\\\"start\\\":\\\"2020-09-22T04:48:48.282697+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:36.067255+0000\\\",\\\"age\\\":13548,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false},\\\"tcp\\\":{\\\"tcp_flags\\\":\\\"1a\\\",\\\"tcp_flags_ts\\\":\\\"1a\\\",\\\"tcp_flags_tc\\\":\\\"1a\\\",\\\"syn\\\":true,\\\"psh\\\":true,\\\"ack\\\":true,\\\"state\\\":\\\"established\\\"}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":611,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", + "type": "flow" }, "fireeye": { "nx": { - "tcp": { - "tcp_flags_ts": "1a", - "tcp_flags_tc": "1a", - "psh": true, - "tcp_flags": "1a", - "ack": true, - "syn": true, - "state": "established" - }, - "flow_id": 222460015300681, "flow": { - "reason": "shutdown", + "age": 13548, + "alerted": false, "endtime": "2020-09-22T08:34:36.067255+0000", + "reason": "shutdown", "starttime": "2020-09-22T04:48:48.282697+0000", + "state": "established" + }, + "flow_id": 222460015300681, + "tcp": { + "ack": true, + "psh": true, "state": "established", - "age": 13548, - "alerted": false + "syn": true, + "tcp_flags": "1a", + "tcp_flags_tc": "1a", + "tcp_flags_ts": "1a" } } }, - "destination": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "address": "67.43.156.15", - "port": 5938, - "bytes": 59808, - "ip": "67.43.156.15", - "packets": 544 + "network": { + "community_id": "1:45/AGSM9JqMdS9WIK3bAZqim3A4=", + "iana_number": "6", + "protocol": "failed", + "transport": "tcp" + }, + "observer": { + "product": "NX", + "vendor": "Fireeye" + }, + "related": { + "ip": [ + "192.168.1.150", + "67.43.156.15" + ] }, "source": { "address": "192.168.1.150", - "port": 51082, "bytes": 69825, + "ip": "192.168.1.150", "packets": 799, - "ip": "192.168.1.150" - }, - "event": { - "type": "flow", - "ingested": "2021-12-31T02:12:53.720979131Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993286+0000\\\",\\\"flow_id\\\":222460015300681,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.150\\\",\\\"src_port\\\":51082,\\\"dest_ip\\\":\\\"67.43.156.15\\\",\\\"dest_port\\\":5938,\\\"proto\\\":\\\"TCP\\\",\\\"proto_number\\\":6,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":799,\\\"pkts_toclient\\\":544,\\\"bytes_toserver\\\":69825,\\\"bytes_toclient\\\":59808,\\\"start\\\":\\\"2020-09-22T04:48:48.282697+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:36.067255+0000\\\",\\\"age\\\":13548,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false},\\\"tcp\\\":{\\\"tcp_flags\\\":\\\"1a\\\",\\\"tcp_flags_ts\\\":\\\"1a\\\",\\\"tcp_flags_tc\\\":\\\"1a\\\",\\\"syn\\\":true,\\\"psh\\\":true,\\\"ack\\\":true,\\\"state\\\":\\\"established\\\"}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":611,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + "port": 51082 }, "tags": [ "preserve_original_event" - ], - "network": { - "protocol": "failed", - "community_id": "1:45/AGSM9JqMdS9WIK3bAZqim3A4=", - "transport": "tcp", - "iana_number": 6 - } + ] }, { - "observer": { - "product": "NX", - "vendor": "Fireeye" - }, "@timestamp": "2020-09-22T08:34:44.993Z", + "destination": { + "address": "67.43.156.14", + "as": { + "number": 35908 + }, + "bytes": 90, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "packets": 1, + "port": 123 + }, "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "192.168.1.15", - "67.43.156.14" - ] + "event": { + "ingested": "2022-03-26T18:20:15.891957082Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993501+0000\\\",\\\"flow_id\\\":1463569002949603,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"src_port\\\":52147,\\\"dest_ip\\\":\\\"67.43.156.14\\\",\\\"dest_port\\\":123,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":1,\\\"pkts_toclient\\\":1,\\\"bytes_toserver\\\":90,\\\"bytes_toclient\\\":90,\\\"start\\\":\\\"2020-09-22T08:32:06.355299+0000\\\",\\\"end\\\":\\\"2020-09-22T08:32:06.439495+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":476,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", + "type": "flow" }, "fireeye": { "nx": { - "flow_id": 1463569002949603, "flow": { - "reason": "shutdown", + "age": 0, + "alerted": false, "endtime": "2020-09-22T08:32:06.439495+0000", + "reason": "shutdown", "starttime": "2020-09-22T08:32:06.355299+0000", - "state": "established", - "age": 0, - "alerted": false - } + "state": "established" + }, + "flow_id": 1463569002949603 } }, - "destination": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "address": "67.43.156.14", - "port": 123, - "bytes": 90, - "ip": "67.43.156.14", - "packets": 1 + "network": { + "community_id": "1:lPFhChZNfHDZ1i2YD0w8DBTTAf0=", + "iana_number": "17", + "protocol": "failed", + "transport": "udp" + }, + "observer": { + "product": "NX", + "vendor": "Fireeye" + }, + "related": { + "ip": [ + "192.168.1.15", + "67.43.156.14" + ] }, "source": { "address": "192.168.1.15", - "port": 52147, "bytes": 90, + "ip": "192.168.1.15", "packets": 1, - "ip": "192.168.1.15" - }, - "event": { - "type": "flow", - "ingested": "2021-12-31T02:12:53.720980093Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993501+0000\\\",\\\"flow_id\\\":1463569002949603,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"src_port\\\":52147,\\\"dest_ip\\\":\\\"67.43.156.14\\\",\\\"dest_port\\\":123,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":1,\\\"pkts_toclient\\\":1,\\\"bytes_toserver\\\":90,\\\"bytes_toclient\\\":90,\\\"start\\\":\\\"2020-09-22T08:32:06.355299+0000\\\",\\\"end\\\":\\\"2020-09-22T08:32:06.439495+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":476,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + "port": 52147 }, "tags": [ "preserve_original_event" - ], - "network": { - "protocol": "failed", - "community_id": "1:lPFhChZNfHDZ1i2YD0w8DBTTAf0=", - "transport": "udp", - "iana_number": 17 - } + ] }, { - "fireeye": { - "nx": { - "flow_id": 1136872856843530 - } - }, + "@timestamp": "2020-09-23T05:02:01.175Z", "destination": { + "address": "67.43.156.13", + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, - "address": "67.43.156.13", - "port": 443, - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "port": 443 }, - "source": { - "port": 53918, - "address": "192.168.1.99", - "ip": "192.168.1.99" + "ecs": { + "version": "8.0.0" + }, + "event": { + "ingested": "2022-03-26T18:20:15.891958935Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:01.175635+0000\\\",\\\"flow_id\\\":1136872856843530,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"tls\\\",\\\"src_ip\\\":\\\"192.168.1.99\\\",\\\"src_port\\\":53918,\\\"dest_ip\\\":\\\"67.43.156.13\\\",\\\"dest_port\\\":443,\\\"proto\\\":\\\"TCP\\\",\\\"tls\\\":{\\\"subject\\\":\\\"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=fireeye.com\\\",\\\"issuerdn\\\":\\\"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3\\\",\\\"ja3\\\":{\\\"hash\\\":\\\"21536525fbf9e289f79e0f98af64bb59\\\",\\\"string\\\":\\\"771,49199-49195-49200-49196-158-159-49191-49187-49192-49188-103-107-49171-49161-49172-49162-51-57-156-157-60-61-47-53-255,0-11-10-13-15-13172,25-24-23,0-1-2\\\"},\\\"ja3s\\\":{\\\"hash\\\":\\\"9873b112313d7c4e5e8ef6207e6c6f0d\\\",\\\"string\\\":\\\"771,49195,0-65281-11-13172\\\"},\\\"fingerprint\\\":\\\"2a:6a:46:d2:05:4d:7b:22:1b:68:02:f2:ee:f0:09:c6:ff:15:e9:58\\\",\\\"sni\\\":\\\"cloud.fireeye.com\\\",\\\"version\\\":\\\"TLS 1.2\\\",\\\"notbefore\\\":\\\"2020-07-01T00:00:00.000000+0000\\\",\\\"notafter\\\":\\\"2021-07-01T12:00:00.000000+0000\\\",\\\"client_ciphersuites\\\":[49199,49195,49200,49196,158,159,49191,49187,49192,49188,103,107,49171,49161,49172,49162,51,57,156,157,60,61,47,53,255],\\\"client_tls_exts\\\":[0,11,10,13,15,13172],\\\"server_ciphersuite\\\":49195,\\\"server_tls_exts\\\":[0,65281,11,13172],\\\"pubkeylength\\\":65}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":1146,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", + "type": "tls" + }, + "fireeye": { + "nx": { + "flow_id": 1136872856843530 + } }, "interface": { "name": "pether3" }, - "tags": [ - "preserve_original_event" - ], "network": { "community_id": "1:YekG1DgBPSO2IV15xvK9ncRxx8c=", - "iana_number": 6, + "iana_number": "6", "transport": "tcp" }, "observer": { "product": "NX", "vendor": "Fireeye" }, - "@timestamp": "2020-09-23T05:02:01.175Z", - "ecs": { - "version": "8.0.0" - }, "related": { "ip": [ "192.168.1.99", "67.43.156.13" ] }, + "source": { + "address": "192.168.1.99", + "ip": "192.168.1.99", + "port": 53918 + }, + "tags": [ + "preserve_original_event" + ], "tls": { - "server": { - "ciphersuite": 49195, - "ja3s_string": "771,49195,0-65281-11-13172", - "ja3s": "9873b112313d7c4e5e8ef6207e6c6f0d", - "tls_exts": [ - 0, - 65281, - 11, - 13172 - ] - }, "client": { - "not_after": "2021-07-01T12:00:00.000000+0000", - "server_name": "cloud.fireeye.com", - "not_before": "2020-07-01T00:00:00.000000+0000", - "subject": "C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=fireeye.com", - "tls_exts": [ - 0, - 11, - 10, - 13, - 15, - 13172 - ], - "fingerprint": "2a:6a:46:d2:05:4d:7b:22:1b:68:02:f2:ee:f0:09:c6:ff:15:e9:58", - "ja3_string": "771,49199-49195-49200-49196-158-159-49191-49187-49192-49188-103-107-49171-49161-49172-49162-51-57-156-157-60-61-47-53-255,0-11-10-13-15-13172,25-24-23,0-1-2", "ciphersuites": [ 49199, 49195, @@ -437,167 +417,187 @@ 53, 255 ], + "fingerprint": "2a:6a:46:d2:05:4d:7b:22:1b:68:02:f2:ee:f0:09:c6:ff:15:e9:58", + "issuer": "C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3", "ja3": "21536525fbf9e289f79e0f98af64bb59", - "issuer": "C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3" + "ja3_string": "771,49199-49195-49200-49196-158-159-49191-49187-49192-49188-103-107-49171-49161-49172-49162-51-57-156-157-60-61-47-53-255,0-11-10-13-15-13172,25-24-23,0-1-2", + "not_after": "2021-07-01T12:00:00.000000+0000", + "not_before": "2020-07-01T00:00:00.000000+0000", + "server_name": "cloud.fireeye.com", + "subject": "C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=fireeye.com", + "tls_exts": [ + 0, + 11, + 10, + 13, + 15, + 13172 + ] }, "public_keylength": 65, + "server": { + "ciphersuite": 49195, + "ja3s": "9873b112313d7c4e5e8ef6207e6c6f0d", + "ja3s_string": "771,49195,0-65281-11-13172", + "tls_exts": [ + 0, + 65281, + 11, + 13172 + ] + }, "version": "TLS 1.2" - }, - "event": { - "type": "tls", - "ingested": "2021-12-31T02:12:53.720981044Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:01.175635+0000\\\",\\\"flow_id\\\":1136872856843530,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"tls\\\",\\\"src_ip\\\":\\\"192.168.1.99\\\",\\\"src_port\\\":53918,\\\"dest_ip\\\":\\\"67.43.156.13\\\",\\\"dest_port\\\":443,\\\"proto\\\":\\\"TCP\\\",\\\"tls\\\":{\\\"subject\\\":\\\"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=fireeye.com\\\",\\\"issuerdn\\\":\\\"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3\\\",\\\"ja3\\\":{\\\"hash\\\":\\\"21536525fbf9e289f79e0f98af64bb59\\\",\\\"string\\\":\\\"771,49199-49195-49200-49196-158-159-49191-49187-49192-49188-103-107-49171-49161-49172-49162-51-57-156-157-60-61-47-53-255,0-11-10-13-15-13172,25-24-23,0-1-2\\\"},\\\"ja3s\\\":{\\\"hash\\\":\\\"9873b112313d7c4e5e8ef6207e6c6f0d\\\",\\\"string\\\":\\\"771,49195,0-65281-11-13172\\\"},\\\"fingerprint\\\":\\\"2a:6a:46:d2:05:4d:7b:22:1b:68:02:f2:ee:f0:09:c6:ff:15:e9:58\\\",\\\"sni\\\":\\\"cloud.fireeye.com\\\",\\\"version\\\":\\\"TLS 1.2\\\",\\\"notbefore\\\":\\\"2020-07-01T00:00:00.000000+0000\\\",\\\"notafter\\\":\\\"2021-07-01T12:00:00.000000+0000\\\",\\\"client_ciphersuites\\\":[49199,49195,49200,49196,158,159,49191,49187,49192,49188,103,107,49171,49161,49172,49162,51,57,156,157,60,61,47,53,255],\\\"client_tls_exts\\\":[0,11,10,13,15,13172],\\\"server_ciphersuite\\\":49195,\\\"server_tls_exts\\\":[0,65281,11,13172],\\\"pubkeylength\\\":65}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":1146,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" } }, { + "@timestamp": "2020-09-23T05:02:19.906Z", + "destination": { + "address": "192.168.100.31", + "ip": "192.168.100.31", + "port": 5601 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "ingested": "2022-03-26T18:20:15.891960832Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:19.906154+0000\\\",\\\"flow_id\\\":1444203537876422,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"fileinfo\\\",\\\"src_ip\\\":\\\"192.168.1.222\\\",\\\"src_port\\\":47220,\\\"dest_ip\\\":\\\"192.168.100.31\\\",\\\"dest_port\\\":5601,\\\"proto\\\":\\\"TCP\\\",\\\"http\\\":{\\\"hostname\\\":\\\"192.168.100.31\\\",\\\"url\\\":\\\"\\\\/internal\\\\/search\\\\/es\\\",\\\"http_user_agent\\\":\\\"Mozilla\\\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\\\/537.36 (KHTML, like Gecko) Chrome\\\\/85.0.4183.102 Safari\\\\/537.36\\\",\\\"http_refer\\\":\\\"http:\\\\/\\\\/192.168.100.31:5601\\\\/app\\\\/kibana\\\",\\\"http_method\\\":\\\"POST\\\",\\\"protocol\\\":\\\"HTTP\\\\/1.1\\\",\\\"length\\\":0},\\\"app_proto\\\":\\\"http\\\",\\\"fileinfo\\\":{\\\"filename\\\":\\\"\\\\/internal\\\\/search\\\\/es\\\",\\\"magic\\\":\\\"ASCII text, with very long lines, with no line terminators\\\",\\\"state\\\":\\\"CLOSED\\\",\\\"md5\\\":\\\"548d03d3e11c009da833e6e59c4adfee\\\",\\\"stored\\\":false,\\\"size\\\":6394,\\\"tx_id\\\":0}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":769,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", + "type": "fileinfo" + }, "fireeye": { "nx": { "fileinfo": { - "magic": "ASCII text, with very long lines, with no line terminators", "filename": "/internal/search/es", - "state": "CLOSED", + "magic": "ASCII text, with very long lines, with no line terminators", + "md5": "548d03d3e11c009da833e6e59c4adfee", "size": 6394, - "stored": false, - "md5": "548d03d3e11c009da833e6e59c4adfee" + "state": "CLOSED", + "stored": false }, "flow_id": 1444203537876422 } }, - "destination": { - "port": 5601, - "address": "192.168.100.31", - "ip": "192.168.100.31" - }, - "source": { - "port": 47220, - "address": "192.168.1.222", - "ip": "192.168.1.222" + "http": { + "request": { + "method": "POST", + "referrer": "http://192.168.100.31:5601/app/kibana" + }, + "response": { + "bytes": 0 + }, + "version": "HTTP/1.1" }, "interface": { "name": "pether3" }, - "url": { - "path": "/internal/search/es", - "domain": "192.168.100.31" - }, - "tags": [ - "preserve_original_event" - ], "network": { - "protocol": "http", "community_id": "1:I4UBJQqMZJfuPtZwkZDG22mqIBk=", - "transport": "tcp", - "iana_number": 6 + "iana_number": "6", + "protocol": "http", + "transport": "tcp" }, "observer": { "product": "NX", "vendor": "Fireeye" }, - "@timestamp": "2020-09-23T05:02:19.906Z", - "ecs": { - "version": "8.0.0" - }, "related": { "ip": [ "192.168.1.222", "192.168.100.31" ] }, - "http": { - "request": { - "method": "POST", - "referrer": "http://192.168.100.31:5601/app/kibana" - }, - "version": "HTTP/1.1", - "response": { - "bytes": 0 - } + "source": { + "address": "192.168.1.222", + "ip": "192.168.1.222", + "port": 47220 }, - "event": { - "type": "fileinfo", - "ingested": "2021-12-31T02:12:53.720981982Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:19.906154+0000\\\",\\\"flow_id\\\":1444203537876422,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"fileinfo\\\",\\\"src_ip\\\":\\\"192.168.1.222\\\",\\\"src_port\\\":47220,\\\"dest_ip\\\":\\\"192.168.100.31\\\",\\\"dest_port\\\":5601,\\\"proto\\\":\\\"TCP\\\",\\\"http\\\":{\\\"hostname\\\":\\\"192.168.100.31\\\",\\\"url\\\":\\\"\\\\/internal\\\\/search\\\\/es\\\",\\\"http_user_agent\\\":\\\"Mozilla\\\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\\\/537.36 (KHTML, like Gecko) Chrome\\\\/85.0.4183.102 Safari\\\\/537.36\\\",\\\"http_refer\\\":\\\"http:\\\\/\\\\/192.168.100.31:5601\\\\/app\\\\/kibana\\\",\\\"http_method\\\":\\\"POST\\\",\\\"protocol\\\":\\\"HTTP\\\\/1.1\\\",\\\"length\\\":0},\\\"app_proto\\\":\\\"http\\\",\\\"fileinfo\\\":{\\\"filename\\\":\\\"\\\\/internal\\\\/search\\\\/es\\\",\\\"magic\\\":\\\"ASCII text, with very long lines, with no line terminators\\\",\\\"state\\\":\\\"CLOSED\\\",\\\"md5\\\":\\\"548d03d3e11c009da833e6e59c4adfee\\\",\\\"stored\\\":false,\\\"size\\\":6394,\\\"tx_id\\\":0}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":769,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "192.168.100.31", + "path": "/internal/search/es" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36", "os": { + "full": "Windows 10", "name": "Windows", - "version": "10", - "full": "Windows 10" - }, - "device": { - "name": "Other" + "version": "10" }, "version": "85.0.4183.102" } }, { - "fireeye": { - "nx": { - "flow_id": 206535698492848 - } - }, + "@timestamp": "2020-09-23T05:02:41.077Z", "destination": { + "address": "67.43.156.15", + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, - "address": "67.43.156.15", - "port": 53, - "ip": "67.43.156.15" + "ip": "67.43.156.15", + "port": 53 }, "dns": { + "id": "28224", "question": { "name": "time-ios.apple.com", "type": "A" }, - "type": "query", - "id": 28224 + "type": "query" }, - "source": { - "port": 60269, - "address": "192.168.1.176", - "ip": "192.168.1.176" + "ecs": { + "version": "8.0.0" + }, + "event": { + "ingested": "2022-03-26T18:20:15.891962649Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:41.077232+0000\\\",\\\"flow_id\\\":206535698492848,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"dns\\\",\\\"src_ip\\\":\\\"192.168.1.176\\\",\\\"src_port\\\":60269,\\\"dest_ip\\\":\\\"67.43.156.15\\\",\\\"dest_port\\\":53,\\\"proto\\\":\\\"UDP\\\",\\\"dns\\\":{\\\"type\\\":\\\"query\\\",\\\"id\\\":28224,\\\"rrname\\\":\\\"time-ios.apple.com\\\",\\\"rrtype\\\":\\\"A\\\",\\\"tx_id\\\":0}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":289,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", + "type": "dns" + }, + "fireeye": { + "nx": { + "flow_id": 206535698492848 + } }, "interface": { "name": "pether3" }, - "tags": [ - "preserve_original_event" - ], "network": { "community_id": "1:DrM2UXVr/51WHNjvsvUqPj+MU88=", - "iana_number": 17, + "iana_number": "17", "transport": "udp" }, "observer": { "product": "NX", "vendor": "Fireeye" }, - "@timestamp": "2020-09-23T05:02:41.077Z", - "ecs": { - "version": "8.0.0" - }, "related": { "ip": [ "192.168.1.176", "67.43.156.15" ] }, - "event": { - "type": "dns", - "ingested": "2021-12-31T02:12:53.720982904Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:41.077232+0000\\\",\\\"flow_id\\\":206535698492848,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"dns\\\",\\\"src_ip\\\":\\\"192.168.1.176\\\",\\\"src_port\\\":60269,\\\"dest_ip\\\":\\\"67.43.156.15\\\",\\\"dest_port\\\":53,\\\"proto\\\":\\\"UDP\\\",\\\"dns\\\":{\\\"type\\\":\\\"query\\\",\\\"id\\\":28224,\\\"rrname\\\":\\\"time-ios.apple.com\\\",\\\"rrtype\\\":\\\"A\\\",\\\"tx_id\\\":0}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":289,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" - } + "source": { + "address": "192.168.1.176", + "ip": "192.168.1.176", + "port": 60269 + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml b/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml index 1811cb8f5db..265a574a53d 100644 --- a/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml +++ b/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml @@ -100,27 +100,27 @@ processors: if: "ctx?.network?.transport != null" lang: painless params: - icmp: 1 - igmp: 2 - ipv4: 4 - tcp: 6 - egp: 8 - igp: 9 - pup: 12 - udp: 17 - rdp: 27 - irtp: 28 - dccp: 33 - idpr: 35 - ipv6: 41 - ipv6-route: 43 - ipv6-frag: 44 - rsvp: 46 - gre: 47 - esp: 50 - ipv6-icmp: 58 - ipv6-nonxt: 59 - ipv6-opts: 60 + icmp: '1' + igmp: '2' + ipv4: '4' + tcp: '6' + egp: '8' + igp: '9' + pup: '12' + udp: '17' + rdp: '27' + irtp: '28' + dccp: '33' + idpr: '35' + ipv6: '41' + ipv6-route: '43' + ipv6-frag: '44' + rsvp: '46' + gre: '47' + esp: '50' + ipv6-icmp: '58' + ipv6-nonxt: '59' + ipv6-opts: '60' source: > def net = ctx.network; def iana = params[net.transport]; diff --git a/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml b/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml index 49bb0657d64..6009b81d76d 100644 --- a/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml +++ b/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml @@ -326,9 +326,10 @@ processors: if: ctx?.event?.type == 'http' ignore_missing: true # dns event type fields - - rename: + - convert: field: rawmsg.dns.id target_field: dns.id + type: string if: ctx?.event?.type == 'dns' ignore_missing: true - rename: diff --git a/packages/fireeye/data_stream/nx/fields/ecs.yml b/packages/fireeye/data_stream/nx/fields/ecs.yml index 38cfd4e7283..f1d3ef0500a 100644 --- a/packages/fireeye/data_stream/nx/fields/ecs.yml +++ b/packages/fireeye/data_stream/nx/fields/ecs.yml @@ -120,6 +120,8 @@ name: network.protocol - external: ecs name: network.community_id +- external: ecs + name: network.iana_number - external: ecs name: event.type - external: ecs @@ -134,6 +136,8 @@ name: dns.answers.ttl - external: ecs name: dns.type +- external: ecs + name: dns.id - external: ecs name: tls.client.issuer - external: ecs diff --git a/packages/fireeye/data_stream/nx/fields/fields.yml b/packages/fireeye/data_stream/nx/fields/fields.yml index 9c05d9fffe0..8a25bb461f7 100644 --- a/packages/fireeye/data_stream/nx/fields/fields.yml +++ b/packages/fireeye/data_stream/nx/fields/fields.yml @@ -103,24 +103,6 @@ - name: public_keylength type: long description: TLS public key length. -- name: network - type: group - fields: - - name: iana_number - type: float - description: IANA Protocol Number. -- name: dns - type: group - fields: - - name: id - type: float - description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -- name: log - type: group - fields: - - name: source - type: group - fields: - - name: address - type: keyword - description: Logs Source Raw address. +- name: log.source.address + type: keyword + description: Logs Source Raw address. diff --git a/packages/fireeye/docs/README.md b/packages/fireeye/docs/README.md index 309e9f7ab85..ca73a2b410f 100644 --- a/packages/fireeye/docs/README.md +++ b/packages/fireeye/docs/README.md @@ -49,7 +49,7 @@ The `nx` integration ingests network security logs from FireEye NX through TCP/U | destination.packets | Packets sent from the destination to the source. | long | | destination.port | Port of the destination. | long | | dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | float | +| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | | dns.question.type | The type of record being queried. | keyword | | dns.response_code | The DNS response code. | keyword | @@ -107,7 +107,7 @@ The `nx` integration ingests network security logs from FireEye NX through TCP/U | log.offset | Log offset | long | | log.source.address | Logs Source Raw address. | keyword | | network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.iana_number | IANA Protocol Number. | float | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | observer.product | The product name of the observer. | keyword | diff --git a/packages/fireeye/manifest.yml b/packages/fireeye/manifest.yml index 75986f733de..931d9bc9ecb 100644 --- a/packages/fireeye/manifest.yml +++ b/packages/fireeye/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: fireeye title: "Fireeye" -version: 1.2.0 +version: 1.2.1 license: basic description: "This Elastic integration collects Fireeye NX logs." type: integration