Skip to content

Add community_id, fingerprint, and network_direction processors #3011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
Oct 14, 2024
Merged

Add community_id, fingerprint, and network_direction processors #3011

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
a7bb431
Processors.ts - add ip to ConvertType
andrewkroh Oct 10, 2024
a24055b
Processors.ts - add community_id
andrewkroh Oct 10, 2024
e0cfc17
Processors.ts - add fingerprint
andrewkroh Oct 10, 2024
0ded54f
Processors.ts - add network_direction
andrewkroh Oct 10, 2024
51f7537
update doc links table.csv
andrewkroh Oct 10, 2024
56d8aa3
review - add @server-default, use Field/Fields
andrewkroh Oct 11, 2024
98ff04e
review - add FingerprintDigest enum to represent fingerprint method
andrewkroh Oct 11, 2024
f24dc11
Processors.ts - add registered_domain processor
andrewkroh Oct 11, 2024
80f4a95
Processors.ts - add output_format to DateProcessor
andrewkroh Oct 11, 2024
77e5e34
Processors.ts - add ecs_compatibility to GrokProcessor
andrewkroh Oct 11, 2024
6b83892
Processors.ts - update transports listed for community_id
andrewkroh Oct 11, 2024
c420d53
network_direction processor - internal_networks needs to be optional
andrewkroh Oct 11, 2024
4982c5f
fix server-default -> server_default
andrewkroh Oct 11, 2024
9439259
remove server_default for empty string
andrewkroh Oct 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions specification/_doc_ids/table.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ cluster-stats,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/c
cluster-update-settings,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/cluster-update-settings.html
cluster,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/cluster.html
common-options,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/common-options.html
community-id-processor,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/community-id-processor.html
connector-sync-job-cancel,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/cancel-connector-sync-job-api.html
connector-sync-job-delete,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/delete-connector-sync-job-api.html
connector-sync-job-get,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/get-connector-sync-job-api.html
Expand Down Expand Up @@ -157,6 +158,7 @@ fail-processor,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/
field-and-document-access-control,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/field-and-document-access-control.html
field-usage-stats,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/field-usage-stats.html
find-structure,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/find-structure.html
fingerprint-processor,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/fingerprint-processor.html
foreach-processor,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/foreach-processor.html
fuzziness,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/common-options.html#fuzziness
gap-policy,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/search-aggregations-pipeline.html#gap-policy
Expand Down Expand Up @@ -329,6 +331,7 @@ modules-scripting,https://www.elastic.co/guide/en/elasticsearch/reference/{branc
modules-snapshots,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/modules-snapshots.html
monitor-elasticsearch-cluster,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/monitor-elasticsearch-cluster.html
multi-fields,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/multi-fields.html
network-direction-processor,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/network-direction-processor.html
node-roles,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/modules-node.html#node-roles
paginate-search-results,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/paginate-search-results.html
painless-contexts,https://www.elastic.co/guide/en/elasticsearch/painless/{branch}/painless-contexts.html
Expand Down
135 changes: 133 additions & 2 deletions specification/ingest/_types/Processors.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,13 @@ export class ProcessorContainer {
* @doc_id ingest-circle-processor
*/
circle?: CircleProcessor
/**
* Computes the Community ID for network flow data as defined in the
* Community ID Specification. You can use a community ID to correlate network
* events related to a single flow.
* @doc_id community-id-processor
*/
community_id?: CommunityIDProcessor
/**
* Converts a field in the currently ingested document to a different type, such as converting a string to an integer.
* If the field value is an array, all members will be converted.
Expand Down Expand Up @@ -106,6 +113,12 @@ export class ProcessorContainer {
* @doc_id fail-processor
*/
fail?: FailProcessor
/**
* Computes a hash of the document’s content. You can use this hash for
* content fingerprinting.
* @doc_id fingerprint-processor
*/
fingerprint?: FingerprintProcessor
/**
* Runs an ingest processor on each element of an array or object.
* @doc_id foreach-processor
Expand Down Expand Up @@ -169,6 +182,12 @@ export class ProcessorContainer {
* @doc_id lowercase-processor
*/
lowercase?: LowercaseProcessor
/**
* Calculates the network direction given a source IP address, destination IP
* address, and a list of internal networks.
* @doc_id network-direction-processor
*/
network_direction?: NetworkDirectionProcessor
/**
* Executes another pipeline.
* @doc_id pipeline-processor
Expand Down Expand Up @@ -528,13 +547,66 @@ export class CircleProcessor extends ProcessorBase {
target_field?: Field
}

export class CommunityIDProcessor extends ProcessorBase {
/**
* Field containing the source IP address.
*/
source_ip?: string
/**
* Field containing the source port.
*/
source_port?: string
/**
* Field containing the destination IP address.
*/
destination_ip?: string
/**
* Field containing the destination port.
*/
destination_port?: string
/**
* Field containing the IANA number.
*/
iana_number?: string
/**
* Field containing the ICMP type.
*/
icmp_type?: string
/**
* Field containing the ICMP code.
*/
icmp_code?: string
/**
* Field containing the transport protocol name or number. Used only when the
* iana_number field is not present. The following protocol names are currently
* supported: ICMP, IGMP, TCP, UDP, GRE, ICMP IPv6, EIGRP, OSPF, PIM, and SCTP.
*/
transport?: string
/**
* Output field for the community ID.
*/
target_field?: Field
/**
* Seed for the community ID hash. Must be between 0 and 65535 (inclusive). The
* seed can prevent hash collisions between network domains, such as a staging
* and production network that use the same addressing scheme.
*/
seed?: integer
/**
* If true and any required fields are missing, the processor quietly exits
* without modifying the document.
*/
ignore_missing?: boolean
}

export enum ConvertType {
integer,
long,
float,
double,
string,
float,
boolean,
ip,
string,
auto
}

Expand Down Expand Up @@ -756,6 +828,33 @@ export class FailProcessor extends ProcessorBase {
message: string
}

export class FingerprintProcessor extends ProcessorBase {
/**
* Array of fields to include in the fingerprint. For objects, the processor
* hashes both the field key and value. For other fields, the processor hashes
* only the field value.
*/
fields: string[]
/**
* Output field for the fingerprint.
*/
target_field?: Field
/**
* Salt value for the hash function.
*/
salt?: string
/**
* The hash method used to compute the fingerprint. Must be one of MD5, SHA-1,
* SHA-256, SHA-512, or MurmurHash3.
*/
method?: string
/**
* If true, the processor ignores any missing fields. If all fields are
* missing, the processor silently exits without modifying the document.
*/
ignore_missing?: boolean
}

export class ForeachProcessor extends ProcessorBase {
/**
* Field containing array or object values.
Expand Down Expand Up @@ -1046,6 +1145,38 @@ export class LowercaseProcessor extends ProcessorBase {
target_field?: Field
}

export class NetworkDirectionProcessor extends ProcessorBase {
/**
* Field containing the source IP address.
*/
source_ip?: string
/**
* Field containing the destination IP address.
*/
destination_ip?: string
/**
* Output field for the network direction.
*/
target_field?: Field
/**
* List of internal networks. Supports IPv4 and IPv6 addresses and ranges in
* CIDR notation. Also supports the named ranges listed below. These may be
* constructed with template snippets. Must specify only one of
* internal_networks or internal_networks_field.
*/
internal_networks: string[]
Copy link
Member Author

@andrewkroh andrewkroh Oct 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the one field that is almost an IP address where would could use the Ip[] type. But that would be inaccurate because the values can be a IP or a CIDR. Should I create a type alias for CIDR somewhere such that the type can be (Ip | CIDR)[]?

Copy link
Member

@flobernd flobernd Oct 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please refresh my memory. Is xxx.xxx.xxx.xxx without a slash a valid CIDR notation that defaults to /32?

In any way, I think it's fine keeping just string[] in this case.

Copy link
Member Author

@andrewkroh andrewkroh Oct 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please refresh my memory. Is xxx.xxx.xxx.xxx without a slash a valid CIDR notation that defaults to /32?

Yes, that's how the processor is behaving for ipv4. I didn't check it, but for ipv6 I would expect similar behavior just using /128 to indicate that it's matching one address.

/**
* A field on the given document to read the internal_networks configuration
* from.
*/
internal_networks_field?: string
/**
* If true and any required fields are missing, the processor quietly exits
* without modifying the document.
*/
ignore_missing?: boolean
}

export class PipelineProcessor extends ProcessorBase {
/**
* The name of the pipeline to execute.
Expand Down
Loading