From c1ebeddf599f98d5eac6082a77f71b03057b89ab Mon Sep 17 00:00:00 2001
From: Jonathan Molinatto <jonathan.molinatto@elastic.co>
Date: Fri, 7 Jun 2024 17:08:47 -0400
Subject: [PATCH] update source ip/port pairs for nat

---
 .../_dev/test/pipeline/test-firewall.log-expected.json    | 3 ++-
 .../log/elasticsearch/ingest_pipeline/default.yml         | 8 ++++----
 packages/stormshield/data_stream/log/fields/ecs.yml       | 2 ++
 packages/stormshield/docs/README.md                       | 1 +
 4 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/packages/stormshield/data_stream/log/_dev/test/pipeline/test-firewall.log-expected.json b/packages/stormshield/data_stream/log/_dev/test/pipeline/test-firewall.log-expected.json
index 1bea4dbdf58c..4e1673423327 100644
--- a/packages/stormshield/data_stream/log/_dev/test/pipeline/test-firewall.log-expected.json
+++ b/packages/stormshield/data_stream/log/_dev/test/pipeline/test-firewall.log-expected.json
@@ -1519,7 +1519,8 @@
                 "ip": "89.160.20.128",
                 "mac": "00-0C-29-8D-6C-55",
                 "nat": {
-                    "ip": "192.168.197.134"
+                    "ip": "192.168.197.134",
+                    "port": 55008
                 },
                 "port": 55008
             },
diff --git a/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 5ffdfc45e25f..1554aaf1ef41 100644
--- a/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -101,6 +101,9 @@ processors:
       name: '{{ IngestPipeline "count" }}'
       if: ctx.stormshield?.logtype == 'count'
 
+  #########################################################
+  # Now rename things to ECS
+
   - convert:
       field: stormshield.modsrc
       target_field: source.nat.ip
@@ -123,7 +126,7 @@ processors:
       field: stormshield.modsrcport
       target_field: source.nat.port
       type: long
-      if: ctx.stormshield?.modsrcport != null && ctx.stormshield?.modsrcport != ctx.stormshield?.srcport
+      if: ctx.stormshield?.modsrcport != null && ctx.source?.nat?.ip != null
   - convert:
       field: stormshield.srcport
       target_field: source.port
@@ -199,9 +202,6 @@ processors:
       target_field: source.as.organization.name
       ignore_missing: true
 
-  #########################################################
-  # Now rename things to ECS
-
   - rename:
       field: stormshield.action
       target_field: event.action
diff --git a/packages/stormshield/data_stream/log/fields/ecs.yml b/packages/stormshield/data_stream/log/fields/ecs.yml
index 8d28d7a50b7e..9a2551fed1bc 100644
--- a/packages/stormshield/data_stream/log/fields/ecs.yml
+++ b/packages/stormshield/data_stream/log/fields/ecs.yml
@@ -74,6 +74,8 @@
   name: source.ip
 - external: ecs
   name: source.nat.ip
+- external: ecs
+  name: source.nat.port
 - external: ecs
   name: source.port
 - external: ecs
diff --git a/packages/stormshield/docs/README.md b/packages/stormshield/docs/README.md
index ca6fd87f4205..ae8ce73c8302 100644
--- a/packages/stormshield/docs/README.md
+++ b/packages/stormshield/docs/README.md
@@ -212,6 +212,7 @@ An example event for `log` looks as following:
 | source.ip | IP address of the source (IPv4 or IPv6). | ip |
 | source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
 | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
 | source.port | Port of the source. | long |
 | stormshield.dstif | Name of the destination interface. String of characters in UTF-8 format. Example: Ethernet 1 Available from: SNS v1.0.0. | keyword |
 | stormshield.dstifname | Name of the object representing the traffics destination interface. String of characters in UTF-8 format. Example: dmz1 Available from: SNS v1.0.0. | keyword |