Infoblox_nios: add client geoip and registered_domain processors to dns data

[philippkahr]

When looking at the differences between the infoblox NIOS DNS dataset and our network_packet_capture dataset I discovered that we are not using dns.flags to print out the DNS flags such as:

- = recursion not available
+ = recursion available (from DNS message header)
A = authoritative answer (from DNS message header)
t = truncated response (from DNS message header)
E = EDNS OPT record present (from DNS message header)
D = DNSSEC OK (from EDNS OPT RR)
V = responding server has validated DNSSEC records
L = response contains DTC synthetic record

Taken from: Infoblox DNS

This is an example taken from our network packet capture dns dataset:

"dns": {
      "response_code": "NOERROR",
      "resolved_ip": [
        "34.107.117.83"
      ],
      "question": {
        "registered_domain": "es.io",
        "top_level_domain": "io",
        "etld_plus_one": "es.io",
        "name": "00d0ca5813b840dca7cee7ecebd65591.europe-west3.gcp.cloud.es.io",
        "subdomain": "00d0ca5813b840dca7cee7ecebd65591.europe-west3.gcp.cloud",
        "type": "A",
        "class": "IN"
      },
      "flags": {
        "authoritative": false,
        "truncated_response": false,
        "recursion_desired": true,
        "recursion_available": true,
        "checking_disabled": false,
        "authentic_data": false
      },

I added the following:

• couple of set processors to add the flags
• registered domain processor to parse out the subdomain, top_level and so on.
• Added geoIP processing for client.ip.

I am not sure about the version bump, if this should become 1.17.0 or 2.0.0.

Proposed commit message

This adds a geoip processor for the client.ip field and a registered_domain processor for the dns.question.name field.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-10-11T08:16:53.335+0000

• Duration: 18 min 30 sec

Test stats 🧪

Test	Results
Failed	0
Passed	21
Skipped	0
Total	21

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (4/4)	💚 3.346
Classes	100.0% (4/4)	💚 3.346
Methods	100.0% (39/39)	💚 7.443
Lines	93.842% (640/682)	👍 5.434
Conditionals	100.0% (0/0)	💚

[philippkahr]

@efd6 did remove the non ecs conforming fields. Does the rest look good?

[efd6]

Is there a reason not to include the flags as the ECS-compliant field?

[philippkahr]

The dns.header_flags are already set here:

integrations/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml

Line 210 in cd0a5ec

- script:

[efd6]

🤦
Thanks. I will take a look in the morning.

[efd6]

Please update the proposed commit message to match the current state of the change. Otherwise LGTM.

[philippkahr]

Can you take care of it please? I am out on PTO for another full week :)

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

Package infoblox_nios - 1.17.0 containing this change is available at https://epr.elastic.co/search?package=infoblox_nios