[cisco_umbrella] Fix dns logs populating destination.ip instead of source.nat.ip

packages/cisco_umbrella/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.6.1"
+  changes:
+    - description: Fix use of destination.ip instead of source.nat.ip in DNS logs
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3218
 - version: "0.6.0"
   changes:
     - description: Update to ECS 8.2

packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json

@@ -17,22 +17,6 @@
                     "policy_identity_type": "Test Policy Name"
                 }
             },
-            "destination": {
-                "address": "81.2.69.144",
-                "geo": {
-                    "city_name": "London",
-                    "continent_name": "Europe",
-                    "country_iso_code": "GB",
-                    "country_name": "United Kingdom",
-                    "location": {
-                        "lat": 51.5142,
-                        "lon": -0.0931
-                    },
-                    "region_iso_code": "GB-ENG",
-                    "region_name": "England"
-                },
-                "ip": "81.2.69.144"
-            },
             "dns": {
                 "question": {
                     "name": "elastic.co.",
@@ -74,7 +58,10 @@
             },
             "source": {
                 "address": "192.168.1.1",
-                "ip": "192.168.1.1"
+                "ip": "192.168.1.1",
+                "nat": {
+                    "ip": "81.2.69.144"
+                }
             },
             "tags": [
                 "preserve_original_event"
@@ -104,22 +91,6 @@
                     "policy_identity_type": "Test Policy Name"
                 }
             },
-            "destination": {
-                "address": "67.43.156.12",
-                "as": {
-                    "number": 35908
-                },
-                "geo": {
-                    "continent_name": "Asia",
-                    "country_iso_code": "BT",
-                    "country_name": "Bhutan",
-                    "location": {
-                        "lat": 27.5,
-                        "lon": 90.5
-                    }
-                },
-                "ip": "67.43.156.12"
-            },
             "dns": {
                 "question": {
                     "name": "elastic.co.",
@@ -161,7 +132,10 @@
             },
             "source": {
                 "address": "192.168.1.1",
-                "ip": "192.168.1.1"
+                "ip": "192.168.1.1",
+                "nat": {
+                    "ip": "67.43.156.12"
+                }
             },
             "tags": [
                 "preserve_original_event"
@@ -185,22 +159,6 @@
                     "policy_identity_type": "Roaming Computers"
                 }
             },
-            "destination": {
-                "address": "81.2.69.144",
-                "geo": {
-                    "city_name": "London",
-                    "continent_name": "Europe",
-                    "country_iso_code": "GB",
-                    "country_name": "United Kingdom",
-                    "location": {
-                        "lat": 51.5142,
-                        "lon": -0.0931
-                    },
-                    "region_iso_code": "GB-ENG",
-                    "region_name": "England"
-                },
-                "ip": "81.2.69.144"
-            },
             "dns": {
                 "question": {
                     "name": "elastic.co.",
@@ -257,7 +215,10 @@
                         "lon": 90.5
                     }
                 },
-                "ip": "67.43.156.12"
+                "ip": "67.43.156.12",
+                "nat": {
+                    "ip": "81.2.69.144"
+                }
             },
             "tags": [
                 "preserve_original_event"

packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -24,7 +24,7 @@ processors:
         - user.name
         - cisco.umbrella.identities
         - source.address
-        - destination.address
+        - source.nat.ip
         - cisco.umbrella.action
         - dns.question.type
         - dns.response_code
@@ -236,16 +236,39 @@ processors:
       value: connection
       if: ctx?.cisco?.umbrella?.action != null
   # Converting address fields to either ip or domain
-  - grok:
+  - convert:
       field: source.address
-      patterns:
-        - "(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})"
-      ignore_failure: true
-  - grok:
+      target_field: source.ip
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - set:
+            copy_from: source.address
+            field: source.domain
+            override: true
+
+  - convert:
       field: destination.address
-      patterns:
-        - "(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})"
-      ignore_failure: true
+      target_field: destination.ip
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - set:
+            field: destination.domain
+            copy_from: destination.address
+            override: true
+
+  # For nat, there's no address or domain subfield.
+  # If the value is not a valid IP, it must be removed
+  # or ingestion will fail. Probably just an empty value.
+  - convert:
+      field: source.nat.ip
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: source.nat.ip
+
   - community_id:
       ignore_missing: true
   - geoip:

packages/cisco_umbrella/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: cisco_umbrella
 title: Cisco Umbrella
-version: 0.6.0
+version: 0.6.1
 license: basic
 description: Collect logs from Cisco Umbrella with Elastic Agent.
 type: integration