[Filebeat] Threatintel compatibility updates (#27323)

* First pass on updating filebeat threatintel logic for ECS 1.11 This only covers modules starting with an a; the rest will follow shortly. In general, these changes address the following goals: * preference for indicator.url.domain, and deprecation of indicator.domain * moving from event.reference to indicator.reference * Move remaining modules from indicator.domain -> indicator.url.domain Along with conditional checks to ensure we're not overwriting the relevant uri_parts data from earlier in the pipeline. * Update indicator.reference in relevant modules * Fix missing prefix in target field * linting and apply new testfiles * Run `make update` in filebeat * fixing duplicate fields * mage fmt update * linting Co-authored-by: Marius Iversen <[email protected]>
elastic · Sep 7, 2021 · 4be2694 · 4be2694
1 parent 8afb80e
commit 4be2694
Show file tree

Hide file tree

Showing 23 changed files with 2,299 additions and 2,087 deletions.
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -156557,23 +156557,23 @@ type: keyword
 
 --
 
-*`threatintel.indicator.ip`*::
+*`threatintel.indicator.reference`*::
 +
 --
-Identifies a threat indicator as an IP address (irrespective of direction).
+Reference URL linking to additional information about this indicator.
 
 
-type: ip
+type: keyword
 
 --
 
-*`threatintel.indicator.domain`*::
+*`threatintel.indicator.ip`*::
 +
 --
-Identifies a threat indicator as a domain (irrespective of direction).
+Identifies a threat indicator as an IP address (irrespective of direction).
 
 
-type: keyword
+type: ip
 
 --
 

diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc
@@ -68,7 +68,7 @@ Abuse.ch URL Threat Intel is mapped to the following ECS fields.
 [options="header"]
 |==============================================================
 | URL Threat Intel Fields | ECS Fields
-| url | threat.indicator.url.full
+| url | threatintel.indicator.url.full
 | date_added | @timestamp
 | host | threatintel.indicator.ip/domain
 |==============================================================
@@ -473,7 +473,7 @@ Anomali ThreatStream fields are mapped to the following ECS fields:
 | date_first | threatintel.indicator.first_seen
 | date_last | threatintel.indicator.last_seen
 | detail | tags
-| domain | threatintel.indicator.domain
+| domain | threatintel.indicator.url.domain
 | email | threatintel.indicator.email.address
 | itype<<a,[1]>> | threatintel.indicator.type
 | lat | threatintel.indicator.geo.location.lat

diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc
@@ -63,7 +63,7 @@ Abuse.ch URL Threat Intel is mapped to the following ECS fields.
 [options="header"]
 |==============================================================
 | URL Threat Intel Fields | ECS Fields
-| url | threat.indicator.url.full
+| url | threatintel.indicator.url.full
 | date_added | @timestamp
 | host | threatintel.indicator.ip/domain
 |==============================================================
@@ -468,7 +468,7 @@ Anomali ThreatStream fields are mapped to the following ECS fields:
 | date_first | threatintel.indicator.first_seen
 | date_last | threatintel.indicator.last_seen
 | detail | tags
-| domain | threatintel.indicator.domain
+| domain | threatintel.indicator.url.domain
 | email | threatintel.indicator.email.address
 | itype<<a,[1]>> | threatintel.indicator.type
 | lat | threatintel.indicator.geo.location.lat