Add missing ECS mappings

elastic · Aug 4, 2023 · 6c4ba81 · 6c4ba81
1 parent 196e624
commit 6c4ba81
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 7 deletions.
diff --git a/packages/azure_metrics/changelog.yml b/packages/azure_metrics/changelog.yml
@@ -1,3 +1,8 @@
+- version: "1.0.18"
+  changes:
+    - description: Add missing azure dimensions to the kube_pod_status_phase and kube_pod_status_ready metrics
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/7245
 - version: "1.0.17"
   changes:
     - description: Add dimension and metric_type metadata to the container_instance datastream

diff --git a/packages/azure_metrics/data_stream/container_service/agent/stream/stream.yml.hbs b/packages/azure_metrics/data_stream/container_service/agent/stream/stream.yml.hbs
@@ -43,13 +43,28 @@ resources:
             namespace: "Microsoft.ContainerService/managedClusters"
             ignore_unsupported: true
             timegrain: "PT5M"
-          - name: ["kube_pod_status_ready", "kube_pod_status_phase"]
+          - name: ["kube_pod_status_ready"]
             namespace: "Microsoft.ContainerService/managedClusters"
             ignore_unsupported: true
             timegrain: "PT5M"
             dimensions:
             - name: "pod"
-              value: "*"        
+              value: "*"
+            - name: "namespace"
+              value: "*"
+            - name: "condition"
+              value: "*"
+          - name: ["kube_pod_status_phase"]
+            namespace: "Microsoft.ContainerService/managedClusters"
+            ignore_unsupported: true
+            timegrain: "PT5M"
+            dimensions:
+            - name: "pod"
+              value: "*"
+            - name: "namespace"
+              value: "*"
+            - name: "phase"
+              value: "*"
     {{/each}}
 {{/if}}
 {{#if resource_ids}}
@@ -71,13 +86,28 @@ resources:
             namespace: "Microsoft.ContainerService/managedClusters"
             ignore_unsupported: true
             timegrain: "PT5M"
-          - name: ["kube_pod_status_ready", "kube_pod_status_phase"]
+          - name: ["kube_pod_status_ready"]
             namespace: "Microsoft.ContainerService/managedClusters"
             ignore_unsupported: true
             timegrain: "PT5M"
             dimensions:
             - name: "pod"
               value: "*"
+            - name: "namespace"
+              value: "*"
+            - name: "condition"
+              value: "*"
+          - name: ["kube_pod_status_phase"]
+            namespace: "Microsoft.ContainerService/managedClusters"
+            ignore_unsupported: true
+            timegrain: "PT5M"
+            dimensions:
+            - name: "pod"
+              value: "*"
+            - name: "namespace"
+              value: "*"
+            - name: "phase"
+              value: "*"
     {{/each}}
 {{/if}}
 
@@ -105,12 +135,27 @@ resources:
             namespace: "Microsoft.ContainerService/managedClusters"
             ignore_unsupported: true
             timegrain: "PT5M"
-          - name: ["kube_pod_status_ready", "kube_pod_status_phase"]
+          - name: ["kube_pod_status_ready"]
             namespace: "Microsoft.ContainerService/managedClusters"
             ignore_unsupported: true
             timegrain: "PT5M"
             dimensions:
             - name: "pod"
-              value: "*"          
+              value: "*"
+            - name: "namespace"
+              value: "*"
+            - name: "condition"
+              value: "*"
+          - name: ["kube_pod_status_phase"]
+            namespace: "Microsoft.ContainerService/managedClusters"
+            ignore_unsupported: true
+            timegrain: "PT5M"
+            dimensions:
+            - name: "pod"
+              value: "*"
+            - name: "namespace"
+              value: "*"
+            - name: "phase"
+              value: "*"
     {{/unless}}
-{{/unless}}
+{{/unless}}
diff --git a/packages/azure_metrics/manifest.yml b/packages/azure_metrics/manifest.yml
@@ -1,6 +1,6 @@
 name: azure_metrics
 title: Azure Resource Metrics
-version: 1.0.17
+version: 1.0.18
 release: ga
 description: Collect metrics from Azure resources with Elastic Agent.
 type: integration

diff --git a/packages/suricata/data_stream/eve/fields/ecs.yml b/packages/suricata/data_stream/eve/fields/ecs.yml
@@ -12,6 +12,8 @@
   name: destination.domain
 - external: ecs
   name: destination.geo.city_name
+- external: ecs
+  name: destination.geo.continent_code
 - external: ecs
   name: destination.geo.continent_name
 - external: ecs
@@ -20,10 +22,16 @@
   name: destination.geo.country_name
 - external: ecs
   name: destination.geo.location
+- external: ecs
+  name: destination.geo.name
+- external: ecs
+  name: destination.geo.postal_code
 - external: ecs
   name: destination.geo.region_iso_code
 - external: ecs
   name: destination.geo.region_name
+- external: ecs
+  name: destination.geo.timezone
 - external: ecs
   name: destination.ip
 - external: ecs
@@ -74,6 +82,8 @@
   name: related.hash
 - external: ecs
   name: related.hosts
+- external: ecs
+  name: related.ip
 - external: ecs
   name: rule.category
 - external: ecs
@@ -90,6 +100,8 @@
   name: source.bytes
 - external: ecs
   name: source.geo.city_name
+- external: ecs
+  name: source.geo.continent_code
 - external: ecs
   name: source.geo.continent_name
 - external: ecs
@@ -98,10 +110,16 @@
   name: source.geo.country_name
 - external: ecs
   name: source.geo.location
+- external: ecs
+  name: source.geo.name
+- external: ecs
+  name: source.geo.postal_code
 - external: ecs
   name: source.geo.region_iso_code
 - external: ecs
   name: source.geo.region_name
+- external: ecs
+  name: source.geo.timezone
 - external: ecs
   name: source.ip
 - external: ecs

diff --git a/packages/suricata/docs/README.md b/packages/suricata/docs/README.md
@@ -131,12 +131,16 @@ An example event for `eve` looks as following:
 | destination.bytes | Bytes sent from the destination to the source. | long |
 | destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
 | destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_code | Two-letter code representing continent's name. | keyword |
 | destination.geo.continent_name | Name of the continent. | keyword |
 | destination.geo.country_iso_code | Country ISO code. | keyword |
 | destination.geo.country_name | Country name. | keyword |
 | destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
 | destination.geo.region_iso_code | Region ISO code. | keyword |
 | destination.geo.region_name | Region name. | keyword |
+| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
 | destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
 | destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
 | destination.packets | Packets sent from the destination to the source. | long |
@@ -216,12 +220,16 @@ An example event for `eve` looks as following:
 | source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
 | source.bytes | Bytes sent from the source to the destination. | long |
 | source.geo.city_name | City name. | keyword |
+| source.geo.continent_code | Two-letter code representing continent's name. | keyword |
 | source.geo.continent_name | Name of the continent. | keyword |
 | source.geo.country_iso_code | Country ISO code. | keyword |
 | source.geo.country_name | Country name. | keyword |
 | source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
 | source.geo.region_iso_code | Region ISO code. | keyword |
 | source.geo.region_name | Region name. | keyword |
+| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
 | source.ip | IP address of the source (IPv4 or IPv6). | ip |
 | source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
 | source.packets | Packets sent from the source to the destination. | long |