diff --git a/packages/suricata/changelog.yml b/packages/suricata/changelog.yml index 1f2eee25715a..ffa8f5384ab1 100644 --- a/packages/suricata/changelog.yml +++ b/packages/suricata/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.12.1" + changes: + - description: Add missing ECS field mappings + type: bugfix + link: https://github.com/elastic/integrations/pull/7275 - version: "2.12.0" changes: - description: Update package-spec to 2.9.0. diff --git a/packages/suricata/data_stream/eve/fields/ecs.yml b/packages/suricata/data_stream/eve/fields/ecs.yml index fc4952f07b11..096232d8a17d 100644 --- a/packages/suricata/data_stream/eve/fields/ecs.yml +++ b/packages/suricata/data_stream/eve/fields/ecs.yml @@ -12,6 +12,8 @@ name: destination.domain - external: ecs name: destination.geo.city_name +- external: ecs + name: destination.geo.continent_code - external: ecs name: destination.geo.continent_name - external: ecs @@ -20,10 +22,16 @@ name: destination.geo.country_name - external: ecs name: destination.geo.location +- external: ecs + name: destination.geo.name +- external: ecs + name: destination.geo.postal_code - external: ecs name: destination.geo.region_iso_code - external: ecs name: destination.geo.region_name +- external: ecs + name: destination.geo.timezone - external: ecs name: destination.ip - external: ecs @@ -74,6 +82,8 @@ name: related.hash - external: ecs name: related.hosts +- external: ecs + name: related.ip - external: ecs name: rule.category - external: ecs @@ -90,6 +100,8 @@ name: source.bytes - external: ecs name: source.geo.city_name +- external: ecs + name: source.geo.continent_code - external: ecs name: source.geo.continent_name - external: ecs @@ -98,10 +110,16 @@ name: source.geo.country_name - external: ecs name: source.geo.location +- external: ecs + name: source.geo.name +- external: ecs + name: source.geo.postal_code - external: ecs name: source.geo.region_iso_code - external: ecs name: source.geo.region_name +- external: ecs + name: source.geo.timezone - external: ecs name: source.ip - external: ecs diff --git a/packages/suricata/data_stream/eve/fields/fields-epr.yml b/packages/suricata/data_stream/eve/fields/fields-epr.yml index b8a01e0fdce3..68645e89a207 100644 --- a/packages/suricata/data_stream/eve/fields/fields-epr.yml +++ b/packages/suricata/data_stream/eve/fields/fields-epr.yml @@ -145,16 +145,6 @@ ignore_above: 1024 description: "The type of DNS event captured, query or answer.\nIf your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.\nIf your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers." example: answer -- name: related - title: Related - group: 2 - description: "This field set is meant to facilitate pivoting around a piece of data.\nSome pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`.\nA concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`." - type: group - fields: - - name: ip - level: extended - type: ip - description: All of the IPs seen on your event. - name: input.type # Filebeat Fields type: keyword description: Filebeat input type used to collect the log. diff --git a/packages/suricata/docs/README.md b/packages/suricata/docs/README.md index c8321794eae4..4f99b4ebef13 100644 --- a/packages/suricata/docs/README.md +++ b/packages/suricata/docs/README.md @@ -131,12 +131,16 @@ An example event for `eve` looks as following: | destination.bytes | Bytes sent from the destination to the source. | long | | destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | +| destination.geo.continent_code | Two-letter code representing continent's name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | destination.geo.region_iso_code | Region ISO code. | keyword | | destination.geo.region_name | Region name. | keyword | +| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | destination.packets | Packets sent from the destination to the source. | long | @@ -216,12 +220,16 @@ An example event for `eve` looks as following: | source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | source.bytes | Bytes sent from the source to the destination. | long | | source.geo.city_name | City name. | keyword | +| source.geo.continent_code | Two-letter code representing continent's name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | source.geo.region_iso_code | Region ISO code. | keyword | | source.geo.region_name | Region name. | keyword | +| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | source.packets | Packets sent from the source to the destination. | long | diff --git a/packages/suricata/manifest.yml b/packages/suricata/manifest.yml index d25a69bdfd4b..58999299dce2 100644 --- a/packages/suricata/manifest.yml +++ b/packages/suricata/manifest.yml @@ -1,6 +1,6 @@ name: suricata title: Suricata -version: "2.12.0" +version: "2.12.1" description: Collect logs from Suricata with Elastic Agent. type: integration icons: