From 034bde60cf6426a08da04f66e6854c346e14982a Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 12 Nov 2020 15:12:13 -0600 Subject: [PATCH] Add dns.answer object into experimental schema (#1118) # Conflicts: # experimental/generated/csv/fields.csv --- CHANGELOG.md | 2 +- experimental/generated/beats/fields.ecs.yml | 13 +++++++++++++ experimental/generated/csv/fields.csv | 1 + experimental/generated/ecs/ecs_flat.yml | 19 +++++++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 19 +++++++++++++++++++ .../generated/elasticsearch/7/template.json | 3 ++- experimental/schemas/dns.yml | 2 ++ 7 files changed, 57 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8e77fe6b0b..fe5c780742 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ All notable changes to this project will be documented in this file based on the * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951 * Added `configuration` as an allowed `event.category`. #963 * Added a new directory with experimental artifacts, which includes all changes - from RFCs that have reached stage 2. #993, #1053, #1115 + from RFCs that have reached stage 2. #993, #1053, #1115, #1118 #### Improvements diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 49b6c13543..c077d6f37d 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -967,6 +967,19 @@ (`dns.type:answer`).' type: group fields: + - name: answers + level: extended + type: object + description: 'An array containing an object for each answer section returned + by the server. + + The main keys that should be present in these objects are defined by ECS. + Records that have more information may contain more keys than what ECS defines. + + Not all DNS data sources give all details about DNS answers. At minimum, answer + objects must contain the `data` key. If more information is available, map + as much of it to ECS as possible, and add any additional fields to the answer + objects as custom fields.' - name: answers.class level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index e4b414c549..c92c613bbf 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -113,6 +113,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. 1.7.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 1.7.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.7.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. 1.7.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. 1.7.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. 1.7.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 46b44e8250..4cbf562f31 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1318,6 +1318,25 @@ dll.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword +dns.answers: + dashed_name: dns-answers + description: 'An array containing an object for each answer section returned by + the server. + + The main keys that should be present in these objects are defined by ECS. Records + that have more information may contain more keys than what ECS defines. + + Not all DNS data sources give all details about DNS answers. At minimum, answer + objects must contain the `data` key. If more information is available, map as + much of it to ECS as possible, and add any additional fields to the answer objects + as custom fields.' + flat_name: dns.answers + level: extended + name: answers + normalize: + - array + short: Array of DNS answers. + type: object dns.answers.class: dashed_name: dns-answers-class description: The class of DNS data contained in this resource record. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 8865448383..f91a0da8b6 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1667,6 +1667,25 @@ dns: (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).' fields: + dns.answers: + dashed_name: dns-answers + description: 'An array containing an object for each answer section returned + by the server. + + The main keys that should be present in these objects are defined by ECS. + Records that have more information may contain more keys than what ECS defines. + + Not all DNS data sources give all details about DNS answers. At minimum, answer + objects must contain the `data` key. If more information is available, map + as much of it to ECS as possible, and add any additional fields to the answer + objects as custom fields.' + flat_name: dns.answers + level: extended + name: answers + normalize: + - array + short: Array of DNS answers. + type: object dns.answers.class: dashed_name: dns-answers-class description: The class of DNS data contained in this resource record. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index a187e155e9..f195e4939a 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -568,7 +568,8 @@ "ignore_above": 1024, "type": "keyword" } - } + }, + "type": "object" }, "header_flags": { "ignore_above": 1024, diff --git a/experimental/schemas/dns.yml b/experimental/schemas/dns.yml index 54f9ccd69a..466859c09f 100644 --- a/experimental/schemas/dns.yml +++ b/experimental/schemas/dns.yml @@ -3,5 +3,7 @@ fields: - name: question.name type: wildcard + - name: answers + type: object - name: answers.data type: wildcard