Add registered_domain processor similar to Filebeat processor #57476
Comments
leehinman
added
>enhancement
needs:triage
andrewkroh
changed the title
romseygeek
added
the
:Data Management/Ingest Node
|
Pinging @elastic/es-core-features (:Core/Features/Ingest) |
|
Discussed with @jakelandis. @jamiehynds to provide ECS fields to map to. |
|
In ECS, fields that contain a DNS domain name can appear in many places:
Each of these field can potentially contain stuff that doesn't look like a FQDN, so leniency is important. Or at least the code path for invalid values should be as fast :-) The convention we've followed has always been to have the domain breakdown fields as siblings to each of the above. The breakdown fields are But by example, when breaking down "www.google.co.uk":
So I think this processor's output target would could default to outputting the breakdown fields as siblings to the field from which the value is being read. E.g. |
|
Hi, We are implementing indicator match in the SIEM. One issue we have is doing TLD extract in non-beats fieds i.e. not packetbeat. Proxy data is indexed in elastic directly through logstash, and although there is a Logstash TLD extract filter it is not maintained/documented. The problem is if an indicator has a sub-domain in the logs but not the threat intel feed, there's a high risk it will be missed. It would help if we could do TLD extract in an ingest processor. The rules for doing TLD extract with the public suffix list can be found here |
|
Closed by #67611 |
It would be nice to have a registered_domain processor like the filebeat one. This would be useful so we can have ingest pipelines that are completely in ES that can fill out the ECS fields like dns.question.top_level_domain.
The text was updated successfully, but these errors were encountered: