diff --git a/packages/netflow/changelog.yml b/packages/netflow/changelog.yml index 33d1855a8a3f..7c2880a9dc07 100644 --- a/packages/netflow/changelog.yml +++ b/packages/netflow/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.12.1" + changes: + - description: Add missing ECS field mappings + type: bugfix + link: https://github.com/elastic/integrations/pull/7271 - version: "2.12.0" changes: - description: Update package to ECS 8.9.0. diff --git a/packages/netflow/data_stream/log/fields/ecs.yml b/packages/netflow/data_stream/log/fields/ecs.yml index 14af0d3e6c18..e23c145c5fb8 100644 --- a/packages/netflow/data_stream/log/fields/ecs.yml +++ b/packages/netflow/data_stream/log/fields/ecs.yml @@ -26,6 +26,8 @@ name: client.domain - external: ecs name: client.geo.city_name +- external: ecs + name: client.geo.continent_code - external: ecs name: client.geo.continent_name - external: ecs @@ -36,10 +38,14 @@ name: client.geo.location - external: ecs name: client.geo.name +- external: ecs + name: client.geo.postal_code - external: ecs name: client.geo.region_iso_code - external: ecs name: client.geo.region_name +- external: ecs + name: client.geo.timezone - external: ecs name: client.ip - external: ecs @@ -104,6 +110,8 @@ name: destination.domain - external: ecs name: destination.geo.city_name +- external: ecs + name: destination.geo.continent_code - external: ecs name: destination.geo.continent_name - external: ecs @@ -114,10 +122,14 @@ name: destination.geo.location - external: ecs name: destination.geo.name +- external: ecs + name: destination.geo.postal_code - external: ecs name: destination.geo.region_iso_code - external: ecs name: destination.geo.region_name +- external: ecs + name: destination.geo.timezone - external: ecs name: destination.ip - external: ecs @@ -318,6 +330,8 @@ name: host.architecture - external: ecs name: host.geo.city_name +- external: ecs + name: host.geo.continent_code - external: ecs name: host.geo.continent_name - external: ecs @@ -328,10 +342,14 @@ name: host.geo.location - external: ecs name: host.geo.name +- external: ecs + name: host.geo.postal_code - external: ecs name: host.geo.region_iso_code - external: ecs name: host.geo.region_name +- external: ecs + name: host.geo.timezone - external: ecs name: host.hostname - external: ecs @@ -420,6 +438,8 @@ name: network.type - external: ecs name: observer.geo.city_name +- external: ecs + name: observer.geo.continent_code - external: ecs name: observer.geo.continent_name - external: ecs @@ -430,10 +450,14 @@ name: observer.geo.location - external: ecs name: observer.geo.name +- external: ecs + name: observer.geo.postal_code - external: ecs name: observer.geo.region_iso_code - external: ecs name: observer.geo.region_name +- external: ecs + name: observer.geo.timezone - external: ecs name: observer.hostname - external: ecs @@ -546,6 +570,8 @@ name: server.domain - external: ecs name: server.geo.city_name +- external: ecs + name: server.geo.continent_code - external: ecs name: server.geo.continent_name - external: ecs @@ -556,10 +582,14 @@ name: server.geo.location - external: ecs name: server.geo.name +- external: ecs + name: server.geo.postal_code - external: ecs name: server.geo.region_iso_code - external: ecs name: server.geo.region_name +- external: ecs + name: server.geo.timezone - external: ecs name: server.ip - external: ecs @@ -620,6 +650,8 @@ name: source.domain - external: ecs name: source.geo.city_name +- external: ecs + name: source.geo.continent_code - external: ecs name: source.geo.continent_name - external: ecs @@ -630,10 +662,14 @@ name: source.geo.location - external: ecs name: source.geo.name +- external: ecs + name: source.geo.postal_code - external: ecs name: source.geo.region_iso_code - external: ecs name: source.geo.region_name +- external: ecs + name: source.geo.timezone - external: ecs name: source.ip - external: ecs diff --git a/packages/netflow/docs/README.md b/packages/netflow/docs/README.md index fda9bc4ab8d6..52c5851fb4e6 100644 --- a/packages/netflow/docs/README.md +++ b/packages/netflow/docs/README.md @@ -40,13 +40,16 @@ The `log` dataset collects netflow logs. | client.bytes | Bytes sent from the client to the server. | long | | client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.geo.city_name | City name. | keyword | +| client.geo.continent_code | Two-letter code representing continent's name. | keyword | | client.geo.continent_name | Name of the continent. | keyword | | client.geo.country_iso_code | Country ISO code. | keyword | | client.geo.country_name | Country name. | keyword | | client.geo.location | Longitude and latitude. | geo_point | | client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| client.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | client.geo.region_iso_code | Region ISO code. | keyword | | client.geo.region_name | Region name. | keyword | +| client.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | client.ip | IP address of the client (IPv4 or IPv6). | ip | | client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | @@ -91,13 +94,16 @@ The `log` dataset collects netflow logs. | destination.bytes | Bytes sent from the destination to the source. | long | | destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | +| destination.geo.continent_code | Two-letter code representing continent's name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | | destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | destination.geo.region_iso_code | Region ISO code. | keyword | | destination.geo.region_name | Region name. | keyword | +| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.locality | Whether the destination IP is private or public. | keyword | | destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | @@ -210,13 +216,16 @@ The `log` dataset collects netflow logs. | host.containerized | If the host is a container. | boolean | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | host.geo.continent_name | Name of the continent. | keyword | | host.geo.country_iso_code | Country ISO code. | keyword | | host.geo.country_name | Country name. | keyword | | host.geo.location | Longitude and latitude. | geo_point | | host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | host.geo.region_iso_code | Region ISO code. | keyword | | host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | @@ -1594,13 +1603,16 @@ The `log` dataset collects netflow logs. | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | | observer.geo.city_name | City name. | keyword | +| observer.geo.continent_code | Two-letter code representing continent's name. | keyword | | observer.geo.continent_name | Name of the continent. | keyword | | observer.geo.country_iso_code | Country ISO code. | keyword | | observer.geo.country_name | Country name. | keyword | | observer.geo.location | Longitude and latitude. | geo_point | | observer.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| observer.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | observer.geo.region_iso_code | Region ISO code. | keyword | | observer.geo.region_name | Region name. | keyword | +| observer.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | observer.hostname | Hostname of the observer. | keyword | | observer.ip | IP addresses of the observer. | ip | | observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | @@ -1667,13 +1679,16 @@ The `log` dataset collects netflow logs. | server.bytes | Bytes sent from the server to the client. | long | | server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | server.geo.city_name | City name. | keyword | +| server.geo.continent_code | Two-letter code representing continent's name. | keyword | | server.geo.continent_name | Name of the continent. | keyword | | server.geo.country_iso_code | Country ISO code. | keyword | | server.geo.country_name | Country name. | keyword | | server.geo.location | Longitude and latitude. | geo_point | | server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| server.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | server.geo.region_iso_code | Region ISO code. | keyword | | server.geo.region_name | Region name. | keyword | +| server.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | server.ip | IP address of the server (IPv4 or IPv6). | ip | | server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | @@ -1707,13 +1722,16 @@ The `log` dataset collects netflow logs. | source.bytes | Bytes sent from the source to the destination. | long | | source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.geo.city_name | City name. | keyword | +| source.geo.continent_code | Two-letter code representing continent's name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location | Longitude and latitude. | geo_point | | source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | source.geo.region_iso_code | Region ISO code. | keyword | | source.geo.region_name | Region name. | keyword | +| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.locality | Whether the source IP is private or public. | keyword | | source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | diff --git a/packages/netflow/manifest.yml b/packages/netflow/manifest.yml index 8e20d6c8cfb5..c5e8e14474c1 100644 --- a/packages/netflow/manifest.yml +++ b/packages/netflow/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.7.0 name: netflow title: NetFlow Records -version: "2.12.0" +version: "2.12.1" description: Collect flow records from NetFlow and IPFIX exporters with Elastic Agent. type: integration categories: