modsecurity: add missing destination.as.organization_name field defin…

…ition and mapping

packages/modsecurity/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.16.1"
+  changes:
+    - description: Add missing `destination.as.*` and `denstination.geo.*` field definitions and mapping.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1
 - version: "1.16.0"
   changes:
     - description: Improve 'event.original' check to avoid errors if set.

packages/modsecurity/data_stream/auditlog/elasticsearch/ingest_pipeline/apache-modsec.yml

@@ -219,6 +219,14 @@ processors:
       field: source.as.organization_name
       target_field: source.as.organization.name
       ignore_missing: true
+  - rename:
+      field: destination.as.asn
+      target_field: destination.as.number
+      ignore_missing: true
+  - rename:
+      field: destination.as.organization_name
+      target_field: destination.as.organization.name
+      ignore_missing: true
   - set:
       field: event.kind
       value: event

packages/modsecurity/data_stream/auditlog/fields/ecs.yml

@@ -84,6 +84,12 @@
   name: user_agent.version
 - external: ecs
   name: rule.id
+- external: ecs
+  name: destination.address
+- external: ecs
+  name: destination.as.number
+- external: ecs
+  name: destination.as.organization.name
 - external: ecs
   name: destination.geo.city_name
 - external: ecs
@@ -93,9 +99,7 @@
 - external: ecs
   name: destination.geo.country_name
 - external: ecs
-  name: destination.geo.location.lat
-- external: ecs
-  name: destination.geo.location.lon
+  name: destination.geo.location
 - external: ecs
   name: destination.geo.region_iso_code
 - external: ecs

packages/modsecurity/docs/README.md

@@ -40,13 +40,16 @@ The `Audit Log` dataset collects Modsecurity Audit logs.
 | data_stream.dataset | Data stream dataset. | constant_keyword |
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
 | destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
 | destination.geo.city_name | City name. | keyword |
 | destination.geo.continent_name | Name of the continent. | keyword |
 | destination.geo.country_iso_code | Country ISO code. | keyword |
 | destination.geo.country_name | Country name. | keyword |
-| destination.geo.location.lat | Longitude and latitude. | geo_point |
-| destination.geo.location.lon | Longitude and latitude. | geo_point |
+| destination.geo.location | Longitude and latitude. | geo_point |
 | destination.geo.region_iso_code | Region ISO code. | keyword |
 | destination.geo.region_name | Region name. | keyword |
 | destination.ip | IP address of the destination (IPv4 or IPv6). | ip |

packages/modsecurity/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.0"
 name: modsecurity
 title: "ModSecurity Audit"
-version: "1.16.0"
+version: "1.16.1"
 description: Collect logs from ModSecurity with Elastic Agent
 type: integration
 categories: