forked from elastic/beats
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Populate more ECS fields in the Suricata module (elastic#10006)
* Populate more ECS fields in the Suricata module A few more ECS fields are populated by the ingest pipeline that enriches Suricata's eve.json events. Additions: - http.request.referrer (from suricata.eve.http.http_refer) - event.action (from suricata.eve.alert.category) describes the action that caused the event. Examples: "Attempted Denial of Service", "Successful Administrator Privilege Gain" - event.outcome (from suricata.eve.alert.action) Possible values: "allowed", "blocked" - event.severity (from suricata.eve.alert.severity) Possible values: 1, 2 or 3. - network.transport (from suricata.eve.proto) Examples: "tcp", "udp", "ipv6-icmp" * Use message for suricata.eve.alert.category Instead of event.action, which is expected to have a fixed set of enumeration values. * Populate destination.domain When http.hostname is present. * Populate event.{start,end,duration} * populate network.protocol * url.hostname is url.domain * Populate url.path, url.fragment, url.query From http.url * Lowercase http request method * Source/Destination and aggregated counters This assumes client=source server=destination. Populates - source.{packets|bytes} - destination.{packets|bytes} - network.{packets|bytes} * Updated golden files * Populate ECS field `http.response.body.bytes` * Use grok pattern to parse url fields Replace ugly painless code. * Avoid pairs of convert/lowercase Lowercase processor can have a target field so its not neccesary to copy the field in a previous step. * Cleanup painless script * Fix golden data * Fix golden data (2) * Copy timestamp to event.end instead of parsing date again (cherry picked from commit 184149f4a18b4162b0d6c89adba3bb924a2db0b8)
- Loading branch information
Showing
4 changed files
with
2,170 additions
and
1,579 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.