add tcp flags to aws/vpcflow fileset (#23157)

* add tcp flags to aws/vpcflow fileset

- new field aws.vpcflow.tcp_flags_array

Closes #22820

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>

CHANGELOG.next.asciidoc

@@ -796,6 +796,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add Google Workspace module and mark Gsuite module as deprecated {pull}22950[22950]
 - Mark m365 defender, defender atp, okta and google workspace modules as GA {pull}23113[23113]
 - Added support for first_event context in filebeat httpjson input {pull}23437[23437]
+- Add parsing of tcp flags to AWS vpcflow fileset {issue}228020[22820] {pull}23157[23157]
 - Added `alternative_host` option to google pubsub input {pull}23215[23215]
 
 *Heartbeat*

filebeat/docs/fields.asciidoc

@@ -2250,6 +2250,16 @@ type: keyword
 The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST
 
 
+type: keyword
+
+--
+
+*`aws.vpcflow.tcp_flags_array`*::
++
+--
+List of TCP flags: 'fin, syn, rst, psh, ack, urg'
+
+
 type: keyword
 
 --

x-pack/filebeat/module/aws/vpcflow/_meta/fields.yml

@@ -49,6 +49,10 @@
       type: keyword
       description: >
         The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST
+    - name: tcp_flags_array
+      type: keyword
+      description: >
+        List of TCP flags: 'fin, syn, rst, psh, ack, urg'
     - name: type
       type: keyword
       description: >

x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml

@@ -128,6 +128,39 @@ processors:
       field: event.kind
       value: event
 
+  - script:
+      lang: painless
+      ignore_failure: true
+      source: |
+        if (ctx?.aws?.vpcflow?.tcp_flags == null)
+          return;
+
+        if (ctx?.aws?.vpcflow?.tcp_flags_array == null) {
+          ArrayList al = new ArrayList();
+          ctx.aws.vpcflow.put("tcp_flags_array", al);
+        }
+
+        def flags = Integer.parseUnsignedInt(ctx.aws.vpcflow.tcp_flags);
+
+        if ((flags & 0x01) != 0) {
+          ctx.aws.vpcflow.tcp_flags_array.add('fin');
+        }
+        if ((flags & 0x02) != 0) {
+          ctx.aws.vpcflow.tcp_flags_array.add('syn');
+        }
+        if ((flags & 0x04) != 0) {
+          ctx.aws.vpcflow.tcp_flags_array.add('rst');
+        }
+        if ((flags & 0x08) != 0) {
+          ctx.aws.vpcflow.tcp_flags_array.add('psh');
+        }
+        if ((flags & 0x10) != 0) {
+          ctx.aws.vpcflow.tcp_flags_array.add('ack');
+        }
+        if ((flags & 0x20) != 0) {
+          ctx.aws.vpcflow.tcp_flags_array.add('urg');
+        }
+
 on_failure:
   - set:
       field: "error.message"

x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json

@@ -9,6 +9,10 @@
         "aws.vpcflow.pkt_srcaddr": "10.20.33.164",
         "aws.vpcflow.subnet_id": "subnet-22222222bbbbbbbbb",
         "aws.vpcflow.tcp_flags": "3",
+        "aws.vpcflow.tcp_flags_array": [
+            "fin",
+            "syn"
+        ],
         "aws.vpcflow.type": "IPv4",
         "aws.vpcflow.version": "3",
         "aws.vpcflow.vpc_id": "vpc-abcdefab012345678",

x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log

@@ -1,2 +1,4 @@
 version vpc-id subnet-id instance-id interface-id account-id type srcaddr dstaddr srcport dstport pkt-srcaddr pkt-dstaddr protocol bytes packets start end action tcp-flags log-status
 3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 52.213.180.42 10.0.0.62 43416 5001 52.213.180.42 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK
+3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 52.213.180.42 10.0.0.62 43638 5001 52.213.180.42 10.0.0.62 6 1260 17 1566933133 1566933193 ACCEPT 3 OK
+3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 10.0.0.62 52.213.180.42 5001 43638 10.0.0.62 52.213.180.42 6 967 14 1566933133 1566933193 ACCEPT 19 OK