microsoft_dnsserver: Enrich dns.question.* ECS fields for both datastream

Author: brijesh-elastic

packages/microsoft_dnsserver/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.4.0"
+  changes:
+    - description: Enrich dns.question.* fields.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14336
 - version: "1.3.0"
   changes:
     - description: Remove duplicated installation instructions from the documentation.

packages/microsoft_dnsserver/data_stream/analytical/_dev/test/pipeline/test-events.json-expected.json

@@ -24,7 +24,9 @@
             "dns": {
                 "id": "7",
                 "question": {
-                    "name": "google.es.",
+                    "name": "google.es",
+                    "registered_domain": "google.es",
+                    "top_level_domain": "es",
                     "type": "AAAA"
                 },
                 "response_code": "NoError"
@@ -120,7 +122,9 @@
                 ],
                 "id": "14383",
                 "question": {
-                    "name": "google.es.",
+                    "name": "google.es",
+                    "registered_domain": "google.es",
+                    "top_level_domain": "es",
                     "type": "AAAA"
                 }
             },
@@ -261,7 +265,9 @@
                 ],
                 "id": "6",
                 "question": {
-                    "name": "google.es.",
+                    "name": "google.es",
+                    "registered_domain": "google.es",
+                    "top_level_domain": "es",
                     "type": "A"
                 }
             },
@@ -390,7 +396,9 @@
             "dns": {
                 "id": "23472",
                 "question": {
-                    "name": "example.com.",
+                    "name": "example.com",
+                    "registered_domain": "example.com",
+                    "top_level_domain": "com",
                     "type": "A"
                 }
             },

packages/microsoft_dnsserver/data_stream/analytical/elasticsearch/ingest_pipeline/default.yml

@@ -312,11 +312,27 @@ processors:
       copy_from: microsoft_dnsserver.analytical.xid
       ignore_empty_value: true
       tag: set_dns_id
-  - set:
-      field: dns.question.name
-      copy_from: microsoft_dnsserver.analytical.question_name
-      ignore_empty_value: true
-      tag: set_dns_question_name
+  - gsub:
+      field: microsoft_dnsserver.analytical.question_name
+      target_field: _temp.question_name
+      tag: gsub_trim_trailing_dot
+      pattern: \.$
+      replacement: ""
+      ignore_missing: true
+  - registered_domain:
+      field: _temp.question_name
+      tag: registered_domain_question_name
+      target_field: dns.question
+      ignore_missing: true
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - rename:
+      field: dns.question.domain
+      tag: rename_dns_question_domain
+      target_field: dns.question.name
+      ignore_missing: true
   - set:
       field: dns.question.type
       copy_from: microsoft_dnsserver.analytical.question_type
@@ -364,6 +380,7 @@ processors:
       tag: append_dns_header_flag_TC
   - remove:
       field:
+        - _temp
         - microsoft_dnsserver.analytical.AA
         - microsoft_dnsserver.analytical.AD
         - microsoft_dnsserver.analytical.RD

packages/microsoft_dnsserver/data_stream/audit/_dev/test/pipeline/test-events.json-expected.json

@@ -138,7 +138,9 @@
             },
             "dns": {
                 "question": {
-                    "name": "B.ROOT-SERVERS.NET.",
+                    "name": "B.ROOT-SERVERS.NET",
+                    "registered_domain": "root-servers.net",
+                    "top_level_domain": "net",
                     "type": "AAAA"
                 }
             },

packages/microsoft_dnsserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml

@@ -282,11 +282,27 @@ processors:
       copy_from: microsoft_dnsserver.audit.ttl
       ignore_empty_value: true
       tag: set_dns_answers_ttl
-  - set:
-      field: dns.question.name
-      copy_from: microsoft_dnsserver.audit.question_name
-      ignore_empty_value: true
-      tag: set_dns_question_name
+  - gsub:
+      field: microsoft_dnsserver.audit.question_name
+      target_field: _temp.question_name
+      tag: gsub_trim_trailing_dot
+      pattern: \.$
+      replacement: ""
+      ignore_missing: true
+  - registered_domain:
+      field: _temp.question_name
+      tag: registered_domain_question_name
+      target_field: dns.question
+      ignore_missing: true
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - rename:
+      field: dns.question.domain
+      tag: rename_dns_question_domain
+      target_field: dns.question.name
+      ignore_missing: true
   - set:
       field: dns.question.type
       copy_from: microsoft_dnsserver.audit.question_type
@@ -308,6 +324,10 @@ processors:
       copy_from: microsoft_dnsserver.audit.bytes_sent
       ignore_empty_value: true
       tag: set_network_bytes
+  - remove:
+      field: _temp
+      ignore_missing: true
+      tag: remove_temp_question_name
 
 # Source IP
   - convert:

packages/microsoft_dnsserver/manifest.yml

@@ -3,7 +3,7 @@ name: microsoft_dnsserver
 title: Microsoft DNS Server
 description: Collect logs from Microsoft DNS Server with Elastic Agent.
 type: integration
-version: "1.3.0"
+version: "1.4.0"
 conditions:
   kibana:
     version: ^8.13.0 || ^9.0.0