[Zeek Radius] Add ECS compliance for event.outcome field in RADIUS data stream and add tunnel_client field support

[haetamoudi]

Proposed commit message

Add ECS compliance for event.outcome field in RADIUS data stream and add tunnel_client field support

Zeek docs

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

Fixes https://github.com/elastic/enhancements/issues/26613

Screenshots

[github-actions]

✅ Vale Linting Results

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

Package zeek 👍(27) 💚(9) 💔(7)

Expand to view

Data stream	Previous EPS	New EPS	Diff (%)	Result
known_services	52631.58	43478.26	-9153.32 (-17.39%)	💔
pe	30303.03	21276.6	-9026.43 (-29.79%)	💔
smb_mapping	45454.55	38461.54	-6993.01 (-15.38%)	💔
dce_rpc	18518.52	12195.12	-6323.4 (-34.15%)	💔
dhcp	32258.06	20000	-12258.06 (-38%)	💔
dns	30303.03	18867.92	-11435.11 (-37.74%)	💔
ftp	41666.67	29411.76	-12254.91 (-29.41%)	💔

To see the full report comment with /test benchmark fullreport

[elasticmachine]

Pinging @elastic/integration-experience (Team:Integration-Experience)

[qcorporation]

@haetamoudi this looks ok - do you know if customers would build rules off of the existing wrong behaviour, where event.outcome=failed. Could this break alerts?

cc. @taylor-swanson just to get some eyes

[taylor-swanson]

@haetamoudi this looks ok - do you know if customers would build rules off of the existing wrong behaviour, where event.outcome=failed. Could this break alerts?

cc. @taylor-swanson just to get some eyes

It probably will. For that reason, this should be a breaking change.

[taylor-swanson]

See Quan's comment.

[taylor-swanson]

LGTM

@qcorporation, @haetamoudi, does the breaking change committee need to be notified about this?

[haetamoudi]

@taylor-swanson I did not know about the breaking change committee.. is there an official process defined somewhere?

[botelastic]

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[taylor-swanson]

@haetamoudi , if this has been approved by the breaking change committee, can we go ahead and merge this (after resolving the conflicts)?

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 355f5be

History

• 💚 Build #37940 succeeded a8defd2
• 💚 Build #37712 succeeded cd4e289
• 💔 Build #37710 failed 702abdd

[elastic-vault-github-plugin-prod]

Package zeek - 5.0.0 containing this change is available at https://epr.elastic.co/package/zeek/5.0.0/