Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add registered_domain processor #13326

Merged
merged 3 commits into from Aug 25, 2019
Merged

Add registered_domain processor #13326

merged 3 commits into from Aug 25, 2019

Conversation

andrewkroh
Copy link
Member

The registered_domain processor reads a field containing a hostname and then
writes the "registered domain" contained in the hostname to the target field.
For example, given www.google.co.uk the processor would output google.co.uk.
In other words the "registered domain" is the effective top-level domain
(co.uk) plus one level (google).

This can be used to populate the ECS dns.question.registered_domain field.

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem

adriansr
adriansr approved these changes Aug 23, 2019
View reviewed changes
Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor comment.

I don't like the name, as "registered" has implications, but can't come up with a better one either. It's funny how it seems there isn't a word for that. "etld_plus_one" won't make a catchy name for a processor.

CHANGELOG.next.asciidoc Outdated Show resolved Hide resolved
libbeat/processors/registered_domain/registered_domain.go Show resolved Hide resolved
@webmat
Copy link
Contributor

webmat commented Aug 23, 2019

I don't like the name, as "registered" has implications, but can't come up with a better one either.

@adriansr Yeah, the discussion around the name registered_domain in ECS has happened over a year. It's the least bad we found LOL 🤷‍♂

webmat
webmat approved these changes Aug 23, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM on the functionality.

As usual, don't rely on me for the Golang review.

Left 2 comments for small things

libbeat/processors/registered_domain/registered_domain_test.go Show resolved Hide resolved
libbeat/docs/processors-using.asciidoc Show resolved Hide resolved
@andrewkroh
Add registered_domain processor
e2a4d9a 
The `registered_domain` processor reads a field containing a hostname and then
writes the "registered domain" contained in the hostname to the target field.
For example, given `www.google.co.uk` the processor would output `google.co.uk`.
In other words the "registered domain" is the effective top-level domain
(`co.uk`) plus one level (`google`).

This can be used to populate the ECS `dns.question.registered_domain` field.
@andrewkroh
Address review comments
7d1ec52
@andrewkroh
Update changelog
dcc2204
@andrewkroh andrewkroh force-pushed the feature/libbeat/registered-domain-processor branch from fa85160 to dcc2204 Compare August 24, 2019 21:03
@andrewkroh
Copy link
Member Author

@adriansr I agree with you that the name isn't great. I chose it to match the ECS field name which went through much debate.

@andrewkroh andrewkroh merged commit 269ede2 into elastic:master Aug 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webmat webmat webmat approved these changes

@houndci-bot houndci-bot houndci-bot left review comments

@adriansr adriansr adriansr approved these changes

Assignees
No one assigned
Labels
enhancement libbeat :Processors review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@andrewkroh @elasticmachine @webmat @houndci-bot @adriansr