Update Sysmon Event ID 22 for ECS DNS

Change two fields to match ECS DNS. This is a follow-up to elastic#13116 now that the field names are finalized.
andrewkroh · Aug 26, 2019 · b448de3 · b448de3
1 parent fd3184b
commit b448de3
Show file tree

Hide file tree

Showing 5 changed files with 1,312 additions and 1,857 deletions.
diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc
@@ -4708,66 +4708,6 @@ type: keyword
 
 --
 
-*`dns.question.name`*::
-+
---
-The name being queried.
-
-
-type: keyword
-
---
-
-*`dns.answers`*::
-+
---
-An array containing a dictionary about each answer section returned by the server.
-
-
-type: object
-
---
-
-*`dns.answers.type`*::
-+
---
-The type of data contained in this resource record.
-
-type: keyword
-
-example: CNAME
-
---
-
-*`dns.answers.data`*::
-+
---
-type: keyword
-
---
-
-*`dns.answers_count`*::
-+
---
-The number of resource records contained in the `dns.answers` field.
-
-
-type: long
-
-example: 3
-
---
-
-*`dns.grouped.ip`*::
-+
---
-Array containing all IPs seen in `dns.answers.data`.
-
-
-type: ip
-
---
-
 [[exported-fields-winlog]]
 == Winlogbeat fields
 

diff --git a/x-pack/winlogbeat/module/sysmon/_meta/fields.yml b/x-pack/winlogbeat/module/sysmon/_meta/fields.yml
@@ -8,37 +8,3 @@
     - name: sysmon.dns.status
       type: keyword
       description: Windows status code returned for the DNS query.
-
-    # These dns.* fields are anticipated to be added to ECS.
-    - name: dns.question.name
-      type: keyword
-      description: >
-        The name being queried.
-
-    - name: dns.answers
-      type: object
-      description: >
-        An array containing a dictionary about each answer section returned by
-        the server.
-
-    - name: dns.answers.type
-      type: keyword
-      description: The type of data contained in this resource record.
-      example: CNAME
-
-    - name: dns.answers.data
-      type: keyword
-      short: The data describing the resource.
-
-    - name: dns.answers_count
-      type: long
-      description: >
-        The number of resource records contained in the `dns.answers` field.
-      example: 3
-
-    - name: dns.grouped.ip
-      type: ip
-      description: >
-        Array containing all IPs seen in `dns.answers.data`.
-
-
diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
@@ -373,10 +373,9 @@ var sysmon = (function () {
 
         if (answers.length > 0) {
             evt.Put("dns.answers", answers);
-            evt.Put("dns.answers_count", answers.length);
         }
         if (ips.length > 0) {
-            evt.Put("dns.grouped.ip", ips);
+            evt.Put("dns.resolved_ip", ips);
         }
         evt.Delete("winlog.event_data.QueryResults");
     };

diff --git a/x-pack/winlogbeat/module/sysmon/fields.go b/x-pack/winlogbeat/module/sysmon/fields.go