[Fireeye] Fix field conflicts

packages/fireeye/changelog.yml

@@ -1,3 +1,8 @@
+- version: "1.2.1"
+  changes:
+    - description: Fix field mappings for `dns.id` and `network.iana_number`
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2892
 - version: "1.2.0"
   changes:
     - description: Update to ECS 8.0

packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml

@@ -100,27 +100,27 @@ processors:
       if: "ctx?.network?.transport != null"
       lang: painless
       params:
-        icmp: 1
-        igmp: 2
-        ipv4: 4
-        tcp: 6
-        egp: 8
-        igp: 9
-        pup: 12
-        udp: 17
-        rdp: 27
-        irtp: 28
-        dccp: 33
-        idpr: 35
-        ipv6: 41
-        ipv6-route: 43
-        ipv6-frag: 44
-        rsvp: 46
-        gre: 47
-        esp: 50
-        ipv6-icmp: 58
-        ipv6-nonxt: 59
-        ipv6-opts: 60
+        icmp: '1'
+        igmp: '2'
+        ipv4: '4'
+        tcp: '6'
+        egp: '8'
+        igp: '9'
+        pup: '12'
+        udp: '17'
+        rdp: '27'
+        irtp: '28'
+        dccp: '33'
+        idpr: '35'
+        ipv6: '41'
+        ipv6-route: '43'
+        ipv6-frag: '44'
+        rsvp: '46'
+        gre: '47'
+        esp: '50'
+        ipv6-icmp: '58'
+        ipv6-nonxt: '59'
+        ipv6-opts: '60'
       source: >
         def net = ctx.network;
         def iana = params[net.transport];

packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml

@@ -326,9 +326,10 @@ processors:
       if: ctx?.event?.type == 'http'
       ignore_missing: true
   # dns event type fields
-  - rename:
+  - convert:
       field: rawmsg.dns.id
       target_field: dns.id
+      type: string
       if: ctx?.event?.type == 'dns'
       ignore_missing: true
   - rename:

packages/fireeye/data_stream/nx/fields/ecs.yml

@@ -120,6 +120,8 @@
   name: network.protocol
 - external: ecs
   name: network.community_id
+- external: ecs
+  name: network.iana_number
 - external: ecs
   name: event.type
 - external: ecs
@@ -134,6 +136,8 @@
   name: dns.answers.ttl
 - external: ecs
   name: dns.type
+- external: ecs
+  name: dns.id
 - external: ecs
   name: tls.client.issuer
 - external: ecs

packages/fireeye/data_stream/nx/fields/fields.yml

@@ -103,24 +103,6 @@
     - name: public_keylength
       type: long
       description: TLS public key length.
-- name: network
-  type: group
-  fields:
-    - name: iana_number
-      type: float
-      description: IANA Protocol Number.
-- name: dns
-  type: group
-  fields:
-    - name: id
-      type: float
-      description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-- name: log
-  type: group
-  fields:
-    - name: source
-      type: group
-      fields:
-        - name: address
-          type: keyword
-          description: Logs Source Raw address.
+- name: log.source.address
+  type: keyword
+  description: Logs Source Raw address.

packages/fireeye/docs/README.md

@@ -49,7 +49,7 @@ The `nx` integration ingests network security logs from FireEye NX through TCP/U
 | destination.packets | Packets sent from the destination to the source. | long |
 | destination.port | Port of the destination. | long |
 | dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long |
-| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | float |
+| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword |
 | dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
 | dns.question.type | The type of record being queried. | keyword |
 | dns.response_code | The DNS response code. | keyword |
@@ -107,7 +107,7 @@ The `nx` integration ingests network security logs from FireEye NX through TCP/U
 | log.offset | Log offset | long |
 | log.source.address | Logs Source Raw address. | keyword |
 | network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword |
-| network.iana_number | IANA Protocol Number. | float |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
 | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
 | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
 | observer.product | The product name of the observer. | keyword |

packages/fireeye/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: fireeye
 title: "Fireeye"
-version: 1.2.0
+version: 1.2.1
 license: basic
 description: "This Elastic integration collects Fireeye NX logs."
 type: integration