Parse DNS Fields

[jonathan-buttner]

Create a pipeline that adds the following fields:

These fields are already populated by the elastic endgame endpoint.

Take a look at these docs for writing the ingest pipeline to do the parsing: https://www.elastic.co/guide/en/elasticsearch/reference/current/grok-processor.html

Related:
https://github.com/elastic/endpoint-dev/issues/7136

[james-elastic]

AC: A user will be able to see the three fields from the screenshot.

[jonathan-buttner]

PR is here: #88

It populates dns.question.type and dns.question.name. I looked into populating dns.question.registered_domain but it'd be pretty complicated to get it right using painless scripting I think according to the ecs spec: https://github.com/elastic/ecs/blob/master/schemas/dns.yml#L102

Also dns.question.name doesn't full adhere to the ecs spec with regards to having non-printable characters: https://github.com/elastic/ecs/blob/master/schemas/dns.yml#L74

[jonathan-buttner]

Closing this ticket as the PR above was merged.