[Suricata] Missing ECS Field Mappings

packages/suricata/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.12.1"
+  changes:
+    - description: Add missing ECS field mappings
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/7275
 - version: "2.12.0"
   changes:
     - description: Update package-spec to 2.9.0.

packages/suricata/data_stream/eve/fields/ecs.yml

@@ -12,6 +12,8 @@
   name: destination.domain
 - external: ecs
   name: destination.geo.city_name
+- external: ecs
+  name: destination.geo.continent_code
 - external: ecs
   name: destination.geo.continent_name
 - external: ecs
@@ -20,10 +22,16 @@
   name: destination.geo.country_name
 - external: ecs
   name: destination.geo.location
+- external: ecs
+  name: destination.geo.name
+- external: ecs
+  name: destination.geo.postal_code
 - external: ecs
   name: destination.geo.region_iso_code
 - external: ecs
   name: destination.geo.region_name
+- external: ecs
+  name: destination.geo.timezone
 - external: ecs
   name: destination.ip
 - external: ecs
@@ -74,6 +82,8 @@
   name: related.hash
 - external: ecs
   name: related.hosts
+- external: ecs
+  name: related.ip
 - external: ecs
   name: rule.category
 - external: ecs
@@ -90,6 +100,8 @@
   name: source.bytes
 - external: ecs
   name: source.geo.city_name
+- external: ecs
+  name: source.geo.continent_code
 - external: ecs
   name: source.geo.continent_name
 - external: ecs
@@ -98,10 +110,16 @@
   name: source.geo.country_name
 - external: ecs
   name: source.geo.location
+- external: ecs
+  name: source.geo.name
+- external: ecs
+  name: source.geo.postal_code
 - external: ecs
   name: source.geo.region_iso_code
 - external: ecs
   name: source.geo.region_name
+- external: ecs
+  name: source.geo.timezone
 - external: ecs
   name: source.ip
 - external: ecs

packages/suricata/data_stream/eve/fields/fields-epr.yml

@@ -145,16 +145,6 @@
       ignore_above: 1024
       description: "The type of DNS event captured, query or answer.\nIf your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.\nIf your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers."
       example: answer
-- name: related
-  title: Related
-  group: 2
-  description: "This field set is meant to facilitate pivoting around a piece of data.\nSome pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`.\nA concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`."
-  type: group
-  fields:
-    - name: ip
-      level: extended
-      type: ip
-      description: All of the IPs seen on your event.
 - name: input.type # Filebeat Fields
   type: keyword
   description: Filebeat input type used to collect the log.

packages/suricata/docs/README.md

@@ -131,12 +131,16 @@ An example event for `eve` looks as following:
 | destination.bytes | Bytes sent from the destination to the source. | long |
 | destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
 | destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_code | Two-letter code representing continent's name. | keyword |
 | destination.geo.continent_name | Name of the continent. | keyword |
 | destination.geo.country_iso_code | Country ISO code. | keyword |
 | destination.geo.country_name | Country name. | keyword |
 | destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
 | destination.geo.region_iso_code | Region ISO code. | keyword |
 | destination.geo.region_name | Region name. | keyword |
+| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
 | destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
 | destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
 | destination.packets | Packets sent from the destination to the source. | long |
@@ -216,12 +220,16 @@ An example event for `eve` looks as following:
 | source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
 | source.bytes | Bytes sent from the source to the destination. | long |
 | source.geo.city_name | City name. | keyword |
+| source.geo.continent_code | Two-letter code representing continent's name. | keyword |
 | source.geo.continent_name | Name of the continent. | keyword |
 | source.geo.country_iso_code | Country ISO code. | keyword |
 | source.geo.country_name | Country name. | keyword |
 | source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
 | source.geo.region_iso_code | Region ISO code. | keyword |
 | source.geo.region_name | Region name. | keyword |
+| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
 | source.ip | IP address of the source (IPv4 or IPv6). | ip |
 | source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
 | source.packets | Packets sent from the source to the destination. | long |

packages/suricata/manifest.yml

@@ -1,6 +1,6 @@
 name: suricata
 title: Suricata
-version: "2.12.0"
+version: "2.12.1"
 description: Collect logs from Suricata with Elastic Agent.
 type: integration
 icons: