elastic · P1llus · Jun 29, 2021 · Mar 24, 2021 · Mar 28, 2021 · Apr 2, 2021
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -809,6 +809,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add new grok pattern for iptables module for Ubiquiti UDM {issue}25615[25615] {pull}25616[25616]
 - Add multiline support to aws-s3 input. {issue}25249[25249] {pull}25710[25710]
 - Add monitoring metrics to the `aws-s3` input. {pull}25711[25711]
+- Added `network.direction` fields to Zeek and Suricata modules using the `add_network_direction` processor {pull}24620[24620]
 - Add Content-Type override to aws-s3 input. {issue}25697[25697] {pull}25772[25772]
 - In Cisco Umbrella fileset add users from cisco.umbrella.identities to related.user. {pull}25776[25776]
 - Add fingerprint processor to generate fixed ids for `google_workspace` events. {pull}25841[25841]

diff --git a/filebeat/docs/modules/suricata.asciidoc b/filebeat/docs/modules/suricata.asciidoc
@@ -51,6 +51,15 @@ A list of tags to include in events. Including `forwarded` indicates that the
 events did not originate on this host and causes `host.name` to not be added to
 events. Defaults to `[suricata]`.
 
+`var.internal_networks`::
+
+A list of CIDR ranges describing the IP addresses that
+you consider internal. This is used in determining the value of
+`network.direction`. The values
+can be either a CIDR value or one of the named ranges supported by the
+<<condition-network, `network`>> condition. The default value is `[private]`
+which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
 [float]
 === Example dashboard