[Filebeat] Enrich subdomain information for suricata and zeek (#23011) (

#23040)

* [Filebeat] Enrich subdomain information for suricata and zeek

* Update changelog

(cherry picked from commit 74dee78)

CHANGELOG.next.asciidoc

@@ -484,6 +484,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add `http.request.mime_type` for Elasticsearch audit log fileset. {pull}22975[22975]
 - Add new httpjson input features and mark old config ones for deprecation {pull}22320[22320]
 - Add configuration option to set external and internal networks for panw panos fileset {pull}22998[22998]
+- Add subdomain enrichment for suricata/eve fileset. {pull}23011[23011]
+- Add subdomain enrichment for zeek/dns fileset. {pull}23011[23011]
 
 *Heartbeat*
 

x-pack/filebeat/module/suricata/eve/config/eve.yml

@@ -52,6 +52,7 @@ processors:
       ignore_failure: true
       field: suricata.eve.dns.rrname
       target_field: dns.question.registered_domain
+      target_subdomain_field: dns.question.subdomain
   - add_fields:
       target: ''
       fields:

x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json

@@ -229,6 +229,7 @@
         "dns.id": "60273",
         "dns.question.name": "www.elastic.co",
         "dns.question.registered_domain": "elastic.co",
+        "dns.question.subdomain": "www",
         "dns.question.top_level_domain": "co",
         "dns.question.type": "A",
         "dns.type": "query",
@@ -276,6 +277,7 @@
         "dns.id": "4210",
         "dns.question.name": "www.elastic.co",
         "dns.question.registered_domain": "elastic.co",
+        "dns.question.subdomain": "www",
         "dns.question.top_level_domain": "co",
         "dns.question.type": "AAAA",
         "dns.type": "query",
@@ -359,6 +361,7 @@
         "dns.id": "60273",
         "dns.question.name": "www.elastic.co",
         "dns.question.registered_domain": "elastic.co",
+        "dns.question.subdomain": "www",
         "dns.question.top_level_domain": "co",
         "dns.question.type": "A",
         "dns.resolved_ip": [
@@ -453,6 +456,7 @@
         "dns.id": "4210",
         "dns.question.name": "www.elastic.co",
         "dns.question.registered_domain": "elastic.co",
+        "dns.question.subdomain": "www",
         "dns.question.top_level_domain": "co",
         "dns.question.type": "AAAA",
         "dns.resolved_ip": [
@@ -511,6 +515,7 @@
         "dns.id": "28329",
         "dns.question.name": "www.yahoo.com",
         "dns.question.registered_domain": "yahoo.com",
+        "dns.question.subdomain": "www",
         "dns.question.top_level_domain": "com",
         "dns.question.type": "A",
         "dns.type": "query",
@@ -558,6 +563,7 @@
         "dns.id": "7050",
         "dns.question.name": "www.yahoo.com",
         "dns.question.registered_domain": "yahoo.com",
+        "dns.question.subdomain": "www",
         "dns.question.top_level_domain": "com",
         "dns.question.type": "AAAA",
         "dns.type": "query",
@@ -1217,6 +1223,7 @@
         "dns.id": "9104",
         "dns.question.name": "www.elastic.co",
         "dns.question.registered_domain": "elastic.co",
+        "dns.question.subdomain": "www",
         "dns.question.top_level_domain": "co",
         "dns.question.type": "A",
         "dns.type": "query",
@@ -1264,6 +1271,7 @@
         "dns.id": "12859",
         "dns.question.name": "www.elastic.co",
         "dns.question.registered_domain": "elastic.co",
+        "dns.question.subdomain": "www",
         "dns.question.top_level_domain": "co",
         "dns.question.type": "AAAA",
         "dns.type": "query",
@@ -1347,6 +1355,7 @@
         "dns.id": "9104",
         "dns.question.name": "www.elastic.co",
         "dns.question.registered_domain": "elastic.co",
+        "dns.question.subdomain": "www",
         "dns.question.top_level_domain": "co",
         "dns.question.type": "A",
         "dns.resolved_ip": [
@@ -1441,6 +1450,7 @@
         "dns.id": "12859",
         "dns.question.name": "www.elastic.co",
         "dns.question.registered_domain": "elastic.co",
+        "dns.question.subdomain": "www",
         "dns.question.top_level_domain": "co",
         "dns.question.type": "AAAA",
         "dns.resolved_ip": [

x-pack/filebeat/module/zeek/dns/config/dns.yml

@@ -19,6 +19,7 @@ processors:
       ignore_failure: true
       field: zeek.dns.query
       target_field: dns.question.registered_domain
+      target_subdomain_field: dns.question.subdomain
   - script:
       lang: javascript
       id: zeek_dns_flags

x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json

@@ -26,6 +26,7 @@
         "dns.question.class": "IN",
         "dns.question.name": "dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io",
         "dns.question.registered_domain": "es.io",
+        "dns.question.subdomain": "dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud",
         "dns.question.top_level_domain": "io",
         "dns.question.type": "A",
         "dns.resolved_ip": [
@@ -99,6 +100,7 @@
         "dns.question.class": "IN",
         "dns.question.name": "_googlecast._tcp.local",
         "dns.question.registered_domain": "_tcp.local",
+        "dns.question.subdomain": "_googlecast",
         "dns.question.top_level_domain": "local",
         "dns.question.type": "PTR",
         "dns.type": "query",
@@ -159,6 +161,7 @@
         "dns.id": 0,
         "dns.question.name": "_googlecast._tcp.local",
         "dns.question.registered_domain": "_tcp.local",
+        "dns.question.subdomain": "_googlecast",
         "dns.question.top_level_domain": "local",
         "dns.response_code": "NOERROR",
         "dns.type": "answer",