[Filebeat] Replace Suricata/Eve fields with aliases to ECS fields

[adriansr]

This PR avoids duplicate data in documents ingested via the Suricata Eve fileset by replacing a few fields with aliases to ECS fields.

This allows to maintain the full set of fields Suricata users may expect while at the same time reducing the size of the events.

The aliased fields are:

Aliased field	Target ECS field
suricata.eve.alert.action	event.outcome
suricata.eve.alert.severity	event.severity
suricata.eve.app_proto	network.protocol
suricata.eve.dest_ip	destination.ip
suricata.eve.dest_port	destination.port
suricata.eve.event_type	event.type
suricata.eve.fileinfo.filename	file.path
suricata.eve.fileinfo.size	file.size
suricata.eve.flow.start	event.start
suricata.eve.flow.bytes_toclient	destination.bytes
suricata.eve.flow.bytes_toserver	source.bytes
suricata.eve.flow.pkts_toclient	destination.packets
suricata.eve.flow.pkts_toserver	source.packets
suricata.eve.http.hostname	url.domain
suricata.eve.http.http_method	http.request.method
suricata.eve.http.http_refer	http.request.referrer
suricata.eve.http.http_user_agent	user_agent.original
suricata.eve.http.length	http.response.body.bytes
suricata.eve.http.status	http.response.status_code
suricata.eve.proto	network.transport
suricata.eve.src_ip	source.ip
suricata.eve.src_port	source.port
suricata.eve.timestamp	@timestamp

Also, the following non-related fixes are performed:

• "http.response.status_code" was being set from a string and not an integer.
• "user_agent.original" was being inadvertedly removed by the user_agent processor.
• Reformatted the ingest pipeline with standard JSON formatting.

[elasticmachine]

Pinging @elastic/secops

[adriansr]

Note to reviewers: To review the ingest pipeline it's easier if you look at the changes added in every individual commit in the PR.

[webmat]

This is almost ready to go. Good work!

I've noticed one missing alias, for url.path. That's the only change required in my review.

I also have one optional suggestion to make the IN code a little more straightforward.

[webmat]

Good catch!

[webmat]

For most of these fields, you could actually get rid of the convert { type: string} and do a straight field rename. Would look much more like the other modules, and would remove the need to have this huge remove operation.

[adriansr]

You are completely right. There's a lot of cleanup that can be done

[webmat]

suricata.eve.http.url => url.path

[adriansr]

I'm not so sure about that one, as we will be losing information if s.e.http.url has query and/or fragment part (those go into url.query and url.fragment).

[ruflin]

perhaps then url.original?

[webmat]

Yeah, in this case url.original should be used. This is for the value as observed.

Then optionally (out of scope here) the other fields could be populated to break it down (url.path, url.query, url.fragment), or rebuild full context (url.full).

[adriansr]

Oh, I overlooked url.original. Done!

[ruflin]

LGTM (after addressing review from Mat). I mostly focused on the change in the golden files.

[ruflin]

@webmat This and the one below could be something for ECS in the future.

[webmat]

Yeah I took a note to add content_type, when reviewing this PR, indeed :-)

What's the other field you're referring to? The field below is method LOL. And .hostname => .domain ;-)

[ruflin]

I initially thought these should not go into the ecs-migration.yml file but now I think it would make sense to add them there. This has two advantages:

• In case you missed renaming one of the fields above in the dashboards, the migration script will catch it.
• We can show a full list of files that we migrated including this out of ecs-migration.yml file.

[adriansr]

@ruflin I've updated the ecs-migration.yml, please have a look. I'm unsure if I used the right set of flags. Is there a way to test this migration script?

[ruflin]

@adriansr The migration script for the dashboards can be found here: #9998 I still have to create the script to generate a nice changelog entry.

[ruflin]

I'm good with getting this in as is and have follow up PR's if needed.

[webmat]

This one's straightforward as well. Any reason why you're not renaming it?

[adriansr]

Nope, just skipped it by mistake. Good catch

[webmat]

LGTM as well

One last nit about doing a straight rename for http_refer.

[adriansr]

jenkins, test this