Thanks in advance.
{
"_index": "packetbeat-7.13.0-2021.05.27-000001",
"_type": "_doc",
"_id": "qb-YsHkBaLY-wtaGkYay",
"_version": 1,
"_score": null,
"fields": {
"event.category": [
"network_traffic",
"network"
],
"host.os.name.text": [
"Windows 10 Home"
],
"server.ip": [
"192.168.1.132"
],
"user_agent.original.text": [
"curl/7.55.1"
],
"host.hostname": [
"system-1"
],
"type": [
"http"
],
"host.mac": [
"08:00:27:af:27:05",
"08:00:27:25:b4:1d"
],
"http.request.method": [
"get"
],
"host.os.version": [
"10.0"
],
"http.response.bytes": [
326
],
"host.os.name": [
"Windows 10 Home"
],
"source.ip": [
"10.0.4.15"
],
"agent.name": [
"system-1"
],
"http.request.headers.content-length": [
0
],
"network.community_id": [
"1:N3spwyL5MkI9pdKXDRJxWl5Ro5A="
],
"host.name": [
"system-1"
],
"http.response.status_code": [
200
],
"http.version": [
"1.1"
],
"event.kind": [
"event"
],
"user_agent.original": [
"curl/7.55.1"
],
"host.os.type": [
"windows"
],
"method": [
"get"
],
"query": [
"GET /enroll.txt"
],
"client.ip": [
"10.0.4.15"
],
"agent.hostname": [
"system-1"
],
"host.architecture": [
"x86_64"
],
"http.response.status_phrase": [
"ok"
],
"url.path": [
"/enroll.txt"
],
"source.port": [
61053
],
"agent.id": [
"e380159b-3f97-45de-957b-b8b6fb9719ca"
],
"bytes_out": [
326
],
"client.port": [
61053
],
"ecs.version": [
"1.9.0"
],
"agent.version": [
"7.13.0"
],
"destination.bytes": [
326
],
"host.os.family": [
"windows"
],
"event.start": [
"2021-05-28T01:30:58.931Z"
],
"status": [
"OK"
],
"server.bytes": [
326
],
"destination.port": [
8000
],
"bytes_in": [
92
],
"event.end": [
"2021-05-28T01:30:58.940Z"
],
"url.scheme": [
"http"
],
"host.os.build": [
"17763.1577"
],
"http.request.bytes": [
92
],
"host.ip": [
"fe80::9dfb:2aae:7112:2f1a",
"172.16.0.4",
"fe80::b9b0:36e6:1851:225d",
"10.0.4.15"
],
"agent.type": [
"packetbeat"
],
"network.protocol": [
"http"
],
"related.ip": [
"10.0.4.15",
"192.168.1.132"
],
"host.os.kernel": [
"10.0.17763.1577 (WinBuild.160101.0800)"
],
"url.port": [
8000
],
"server.port": [
8000
],
"network.bytes": [
418
],
"network.direction": [
"egress"
],
"url.full": [
"http://192.168.1.132:8000/enroll.txt"
],
"host.id": [
"918837dd-23bd-46e8-acae-f5e8f0cbb947"
],
"network.type": [
"ipv4"
],
"source.bytes": [
92
],
"http.response.headers.content-length": [
140
],
"destination.ip": [
"192.168.1.132"
],
"url.full.text": [
"http://192.168.1.132:8000/enroll.txt"
],
"http.response.body.bytes": [
140
],
"network.transport": [
"tcp"
],
"event.duration": [
8540000
],
"http.response.headers.content-type": [
"text/plain"
],
"@timestamp": [
"2021-05-28T01:30:58.931Z"
],
"host.os.platform": [
"windows"
],
"client.bytes": [
92
],
"event.type": [
"connection",
"protocol"
],
"url.domain": [
"192.168.1.132"
],
"agent.ephemeral_id": [
"c4bfc6e4-b383-42ac-b1b3-9784c41eca16"
],
"event.dataset": [
"http"
]
},
"highlight": {
"user_agent.original": [
"@kibana-highlighted-field@curl/7.55.1@/kibana-highlighted-field@"
]
},
"sort": [
1622165458931
]
}
Describe the enhancement:
I would like if Packetbeat could populate the
url.extensionfield. It is in ECS and reported as an exported field for Packetbeat, but it doesn't seem to be included yet.In the below example, I would think it should be
url.extension : txt.Thanks in advance.
Sample
Describe a specific use case for the enhancement or feature:
When performing network analysis, specifically for threat research, being able to focus on specific extensions can help identify and track executable packages.