diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index edf4ca564af..978b63c7977 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -484,6 +484,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add `http.request.mime_type` for Elasticsearch audit log fileset. {pull}22975[22975] - Add new httpjson input features and mark old config ones for deprecation {pull}22320[22320] - Add configuration option to set external and internal networks for panw panos fileset {pull}22998[22998] +- Add subdomain enrichment for suricata/eve fileset. {pull}23011[23011] +- Add subdomain enrichment for zeek/dns fileset. {pull}23011[23011] *Heartbeat* diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index ec6a2cc68b5..d31e2e04249 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -52,6 +52,7 @@ processors: ignore_failure: true field: suricata.eve.dns.rrname target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json index 7201aa1509c..c61e3f6d12a 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json @@ -229,6 +229,7 @@ "dns.id": "60273", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", "dns.question.top_level_domain": "co", "dns.question.type": "A", "dns.type": "query", @@ -276,6 +277,7 @@ "dns.id": "4210", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", "dns.question.top_level_domain": "co", "dns.question.type": "AAAA", "dns.type": "query", @@ -359,6 +361,7 @@ "dns.id": "60273", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", "dns.question.top_level_domain": "co", "dns.question.type": "A", "dns.resolved_ip": [ @@ -453,6 +456,7 @@ "dns.id": "4210", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", "dns.question.top_level_domain": "co", "dns.question.type": "AAAA", "dns.resolved_ip": [ @@ -511,6 +515,7 @@ "dns.id": "28329", "dns.question.name": "www.yahoo.com", "dns.question.registered_domain": "yahoo.com", + "dns.question.subdomain": "www", "dns.question.top_level_domain": "com", "dns.question.type": "A", "dns.type": "query", @@ -558,6 +563,7 @@ "dns.id": "7050", "dns.question.name": "www.yahoo.com", "dns.question.registered_domain": "yahoo.com", + "dns.question.subdomain": "www", "dns.question.top_level_domain": "com", "dns.question.type": "AAAA", "dns.type": "query", @@ -1217,6 +1223,7 @@ "dns.id": "9104", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", "dns.question.top_level_domain": "co", "dns.question.type": "A", "dns.type": "query", @@ -1264,6 +1271,7 @@ "dns.id": "12859", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", "dns.question.top_level_domain": "co", "dns.question.type": "AAAA", "dns.type": "query", @@ -1347,6 +1355,7 @@ "dns.id": "9104", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", "dns.question.top_level_domain": "co", "dns.question.type": "A", "dns.resolved_ip": [ @@ -1441,6 +1450,7 @@ "dns.id": "12859", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", "dns.question.top_level_domain": "co", "dns.question.type": "AAAA", "dns.resolved_ip": [ diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index 0a73f66e43a..39a986642fb 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -19,6 +19,7 @@ processors: ignore_failure: true field: zeek.dns.query target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain - script: lang: javascript id: zeek_dns_flags diff --git a/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json b/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json index 0c01c52e428..61a57b55bd8 100644 --- a/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json @@ -26,6 +26,7 @@ "dns.question.class": "IN", "dns.question.name": "dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io", "dns.question.registered_domain": "es.io", + "dns.question.subdomain": "dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud", "dns.question.top_level_domain": "io", "dns.question.type": "A", "dns.resolved_ip": [ @@ -99,6 +100,7 @@ "dns.question.class": "IN", "dns.question.name": "_googlecast._tcp.local", "dns.question.registered_domain": "_tcp.local", + "dns.question.subdomain": "_googlecast", "dns.question.top_level_domain": "local", "dns.question.type": "PTR", "dns.type": "query", @@ -159,6 +161,7 @@ "dns.id": 0, "dns.question.name": "_googlecast._tcp.local", "dns.question.registered_domain": "_tcp.local", + "dns.question.subdomain": "_googlecast", "dns.question.top_level_domain": "local", "dns.response_code": "NOERROR", "dns.type": "answer",