From f0120ceba29377325784a5ab01fa62cae0f570a9 Mon Sep 17 00:00:00 2001
From: Lee Hinman <57081003+leehinman@users.noreply.github.com>
Date: Thu, 10 Dec 2020 14:55:46 -0600
Subject: [PATCH] zeek ecs 1.7 updates for network.direction (#22967)

- prevent setting network.direction to external if local_orig and
  local_resp are both undefined
---
 CHANGELOG.next.asciidoc                       |  1 +
 .../zeek/connection/ingest/pipeline.yml       | 37 ++++++++++++-------
 2 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 54d4fa40f17..b35ec93cdf9 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -344,6 +344,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix for `field [source] not present as part of path [source.ip]` error in azure pipelines. {pull}22377[22377]
 - Drop aws.vpcflow.pkt_srcaddr and aws.vpcflow.pkt_dstaddr when equal to "-". {pull}22721[22721] {issue}22716[22716]
 - Fix cisco umbrella module config by adding input variable. {pull}22892[22892]
+- Fix network.direction logic in zeek connection fileset. {pull}22967[22967]
 - Convert the o365 module's `client.port` and `source.port` to numbers (from strings) in events. {pull}22939[22939]
 - Fix Cisco ASA/FTD module's parsing of WebVPN log message 716002. {pull}22966[22966]
 
diff --git a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml
index c25c9cee6e5..93245720a06 100644
--- a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml
@@ -45,19 +45,30 @@ processors:
     source: ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes
     ignore_failure: true
 - script:
-    source: >-
-      if (ctx?.zeek?.connection?.local_orig == true) {
-        if (ctx?.zeek?.connection?.local_resp == true) {
-          ctx.network.direction = "internal";
-        } else {
-          ctx.network.direction = "outbound";
-        }
-      } else {
-        if (ctx?.zeek?.connection?.local_resp == true) {
-          ctx.network.direction = "inbound";
-        } else {
-          ctx.network.direction = "external";
-        }
+    source: |-
+      if (ctx?.zeek?.connection?.local_orig == null ||
+          ctx?.zeek?.connection?.local_resp == null) {
+        return;
+      }
+      if (ctx.zeek.connection.local_orig == true &&
+          ctx.zeek.connection.local_resp == true) {
+        ctx.network.direction = "internal";
+        return;
+      }
+      if (ctx.zeek.connection.local_orig == true &&
+          ctx.zeek.connection.local_resp == false) {
+        ctx.network.direction = "outbound";
+        return;
+      }
+      if (ctx.zeek.connection.local_orig == false &&
+          ctx.zeek.connection.local_resp == true) {
+        ctx.network.direction = "inbound";
+        return;
+      }
+      if (ctx.zeek.connection.local_orig == false &&
+          ctx.zeek.connection.local_resp == false) {
+        ctx.network.direction = "external";
+        return;
       }
 - geoip:
     field: destination.ip