added nat.ip and nat.port to source, destination, client and server (#…

…491)

CHANGELOG.next.md

@@ -13,6 +13,8 @@
 * Added `file.name` and `file.directory`. #441
 * Added `file.created`, and `file.accessed`. #445
 * Added `domain` field to user. #486
+* Added `.nat.ip` and `.nat.port` to `source`, `destination`, `client` and `server`. #491 
+
 
 ### Improvements
 

docs/field-details.asciidoc

@@ -230,6 +230,32 @@ type: keyword
 
 // ===============================================================
 
+| client.nat.ip
+| Translated IP of source based NAT sessions (e.g. internal client to internet).
+
+Typically connections traversing load balancers, firewalls, or routers.
+
+type: ip
+
+
+
+| extended
+
+// ===============================================================
+
+| client.nat.port
+| Translated port of source based NAT sessions (e.g. internal client to internet).
+
+Typically connections traversing load balancers, firewalls, or routers.
+
+type: long
+
+
+
+| extended
+
+// ===============================================================
+
 | client.packets
 | Packets sent from the client to the server.
 
@@ -534,6 +560,32 @@ type: keyword
 
 // ===============================================================
 
+| destination.nat.ip
+| Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+
+Typically used with load balancers, firewalls, or routers.
+
+type: ip
+
+
+
+| extended
+
+// ===============================================================
+
+| destination.nat.port
+| Port the source session is translated to by NAT Device.
+
+Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+
+
+| extended
+
+// ===============================================================
+
 | destination.packets
 | Packets sent from the destination to the source.
 
@@ -2446,6 +2498,32 @@ type: keyword
 
 // ===============================================================
 
+| server.nat.ip
+| Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+
+Typically used with load balancers, firewalls, or routers.
+
+type: ip
+
+
+
+| extended
+
+// ===============================================================
+
+| server.nat.port
+| Translated port of destination based NAT sessions (e.g. internet to private DMZ)
+
+Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+
+
+| extended
+
+// ===============================================================
+
 | server.packets
 | Packets sent from the server to the client.
 
@@ -2674,6 +2752,32 @@ type: keyword
 
 // ===============================================================
 
+| source.nat.ip
+| Translated ip of source based NAT sessions (e.g. internal client to internet)
+
+Typically connections traversing load balancers, firewalls, or routers.
+
+type: ip
+
+
+
+| extended
+
+// ===============================================================
+
+| source.nat.port
+| Translated port of source based NAT sessions. (e.g. internal client to internet)
+
+Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+
+
+| extended
+
+// ===============================================================
+
 | source.packets
 | Packets sent from the source to the destination.
 

generated/beats/fields.ecs.yml

@@ -215,6 +215,21 @@
       type: keyword
       ignore_above: 1024
       description: MAC address of the client.
+    - name: nat.ip
+      level: extended
+      type: ip
+      description: 'Translated IP of source based NAT sessions (e.g. internal client
+        to internet).
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions (e.g. internal client
+        to internet).
+
+        Typically connections traversing load balancers, firewalls, or routers.'
     - name: packets
       level: core
       type: long
@@ -463,6 +478,20 @@
       type: keyword
       ignore_above: 1024
       description: MAC address of the destination.
+    - name: nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
     - name: packets
       level: core
       type: long
@@ -1862,6 +1891,21 @@
       type: keyword
       ignore_above: 1024
       description: MAC address of the server.
+    - name: nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
     - name: packets
       level: core
       type: long
@@ -2084,6 +2128,21 @@
       type: keyword
       ignore_above: 1024
       description: MAC address of the source.
+    - name: nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
     - name: packets
       level: core
       type: long

generated/csv/fields.csv

@@ -21,6 +21,8 @@ client.geo.region_iso_code,keyword,core,CA-QC,1.1.0-dev
 client.geo.region_name,keyword,core,Quebec,1.1.0-dev
 client.ip,ip,core,,1.1.0-dev
 client.mac,keyword,core,,1.1.0-dev
+client.nat.ip,ip,extended,,1.1.0-dev
+client.nat.port,long,extended,,1.1.0-dev
 client.packets,long,core,12,1.1.0-dev
 client.port,long,core,,1.1.0-dev
 client.user.domain,keyword,extended,,1.1.0-dev
@@ -57,6 +59,8 @@ destination.geo.region_iso_code,keyword,core,CA-QC,1.1.0-dev
 destination.geo.region_name,keyword,core,Quebec,1.1.0-dev
 destination.ip,ip,core,,1.1.0-dev
 destination.mac,keyword,core,,1.1.0-dev
+destination.nat.ip,ip,extended,,1.1.0-dev
+destination.nat.port,long,extended,,1.1.0-dev
 destination.packets,long,core,12,1.1.0-dev
 destination.port,long,core,,1.1.0-dev
 destination.user.domain,keyword,extended,,1.1.0-dev
@@ -239,6 +243,8 @@ server.geo.region_iso_code,keyword,core,CA-QC,1.1.0-dev
 server.geo.region_name,keyword,core,Quebec,1.1.0-dev
 server.ip,ip,core,,1.1.0-dev
 server.mac,keyword,core,,1.1.0-dev
+server.nat.ip,ip,extended,,1.1.0-dev
+server.nat.port,long,extended,,1.1.0-dev
 server.packets,long,core,12,1.1.0-dev
 server.port,long,core,,1.1.0-dev
 server.user.domain,keyword,extended,,1.1.0-dev
@@ -268,6 +274,8 @@ source.geo.region_iso_code,keyword,core,CA-QC,1.1.0-dev
 source.geo.region_name,keyword,core,Quebec,1.1.0-dev
 source.ip,ip,core,,1.1.0-dev
 source.mac,keyword,core,,1.1.0-dev
+source.nat.ip,ip,extended,,1.1.0-dev
+source.nat.port,long,extended,,1.1.0-dev
 source.packets,long,core,12,1.1.0-dev
 source.port,long,core,,1.1.0-dev
 source.user.domain,keyword,extended,,1.1.0-dev