infoblox_bloxone_ddi: map dns fields to ecs

elastic · Feb 6, 2024 · f1382fd · f1382fd
1 parent 5f36e2a
commit f1382fd
Show file tree

Hide file tree

Showing 6 changed files with 103 additions and 11 deletions.
diff --git a/packages/infoblox_bloxone_ddi/changelog.yml b/packages/infoblox_bloxone_ddi/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.15.0"
+  changes:
+    - description: Map DNS fields to ECS.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1
 - version: "1.14.1"
   changes:
     - description: Changed owners

diff --git a/...xone_ddi/data_stream/dns_data/_dev/test/pipeline/test-pipeline-dns-data.log-expected.json b/...xone_ddi/data_stream/dns_data/_dev/test/pipeline/test-pipeline-dns-data.log-expected.json
@@ -3,8 +3,18 @@
         {
             "@timestamp": "2022-07-20T09:59:59.184Z",
             "dns": {
-                "answers": {
-                    "ttl": 0
+                "answers": [
+                    {
+                        "data": "string",
+                        "ttl": 0,
+                        "type": "string"
+                    }
+                ],
+                "question": {
+                    "name": "string",
+                    "registered_domain": "string",
+                    "subdomain": "string",
+                    "type": "string"
                 }
             },
             "ecs": {
@@ -111,8 +121,18 @@
         {
             "@timestamp": "2022-07-14T11:50:28.838Z",
             "dns": {
-                "answers": {
-                    "ttl": 0
+                "answers": [
+                    {
+                        "data": "DNS rdata",
+                        "ttl": 0,
+                        "type": "AAAA"
+                    }
+                ],
+                "question": {
+                    "name": "Test name",
+                    "registered_domain": "test Zone",
+                    "subdomain": "Test zone",
+                    "type": "AAAA"
                 }
             },
             "ecs": {
@@ -200,8 +220,18 @@
         {
             "@timestamp": "2022-07-20T09:59:59.184Z",
             "dns": {
-                "answers": {
-                    "ttl": 0
+                "answers": [
+                    {
+                        "data": "DNS RData",
+                        "ttl": 0,
+                        "type": "DNS Data Type"
+                    }
+                ],
+                "question": {
+                    "name": "DNS Absolute Name",
+                    "registered_domain": "DNS Absolute Zone Name",
+                    "subdomain": "DNS Name in Zone",
+                    "type": "DNS Data Type"
                 }
             },
             "ecs": {

diff --git a/packages/infoblox_bloxone_ddi/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml b/packages/infoblox_bloxone_ddi/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml
@@ -370,10 +370,6 @@ processors:
         - append:
             field: error.message
             value: '{{{_ingest.on_failure_message}}}'
-  - set:
-      field: dns.answers.ttl
-      copy_from: infoblox_bloxone_ddi.dns_data.ttl
-      ignore_failure: true
   - rename:
       field: json.type
       target_field: infoblox_bloxone_ddi.dns_data.type
@@ -404,6 +400,41 @@ processors:
       field: json.zone
       target_field: infoblox_bloxone_ddi.dns_data.zone
       ignore_missing: true
+  - set:
+      field: dns.answers.data
+      copy_from: infoblox_bloxone_ddi.dns_data.rdata_value
+      ignore_empty_value: true
+  - set:
+      field: dns.answers.ttl
+      copy_from: infoblox_bloxone_ddi.dns_data.ttl
+      ignore_empty_value: true
+  - set:
+      field: dns.answers.type
+      copy_from: infoblox_bloxone_ddi.dns_data.type
+      ignore_empty_value: true
+  - script:
+      lang: painless
+      if: ctx.dns?.answers != null
+      source: |
+        def a = new ArrayList();
+        a.add(ctx.dns.answers);
+        ctx.dns.answers = a;
+  - set:
+      field: dns.question.type
+      copy_from: infoblox_bloxone_ddi.dns_data.type
+      ignore_empty_value: true
+  - set:
+      field: dns.question.name
+      copy_from: infoblox_bloxone_ddi.dns_data.absolute.name.spec
+      ignore_empty_value: true
+  - set:
+      field: dns.question.registered_domain
+      copy_from: infoblox_bloxone_ddi.dns_data.absolute.zone.name
+      ignore_empty_value: true
+  - set:
+      field: dns.question.subdomain
+      copy_from: infoblox_bloxone_ddi.dns_data.name_in.zone
+      ignore_empty_value: true
   - remove:
       field: json
       ignore_missing: true
@@ -413,6 +444,11 @@ processors:
         - infoblox_bloxone_ddi.dns_data.lame_ttl
         - infoblox_bloxone_ddi.dns_data.created_at
         - infoblox_bloxone_ddi.dns_data.id
+        - infoblox_bloxone_ddi.dns_data.type
+        - infoblox_bloxone_ddi.dns_data.absolute.name.spec
+        - infoblox_bloxone_ddi.dns_data.absolute.zone.name
+        - infoblox_bloxone_ddi.dns_data.name_in.zone
+        - infoblox_bloxone_ddi.dns_data.rdata_value
       if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
       ignore_failure: true
       ignore_missing: true

diff --git a/packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/ecs.yml b/packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/ecs.yml
@@ -1,5 +1,19 @@
+- external: ecs
+  name: dns.answers
+- external: ecs
+  name: dns.answers.data
 - external: ecs
   name: dns.answers.ttl
+- external: ecs
+  name: dns.answers.type
+- external: ecs
+  name: dns.question.name
+- external: ecs
+  name: dns.question.registered_domain
+- external: ecs
+  name: dns.question.subdomain
+- external: ecs
+  name: dns.question.type
 - external: ecs
   name: ecs.version
 - external: ecs

diff --git a/packages/infoblox_bloxone_ddi/docs/README.md b/packages/infoblox_bloxone_ddi/docs/README.md
@@ -1433,7 +1433,14 @@ An example event for `dns_data` looks as following:
 | data_stream.dataset | Data stream dataset. | constant_keyword |
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
+| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object |
+| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword |
 | dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
 | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
 | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
 | event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |

diff --git a/packages/infoblox_bloxone_ddi/manifest.yml b/packages/infoblox_bloxone_ddi/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.0"
 name: infoblox_bloxone_ddi
 title: Infoblox BloxOne DDI
-version: "1.14.1"
+version: "1.15.0"
 description: Collect logs from Infoblox BloxOne DDI with Elastic Agent.
 type: integration
 categories: