From ed384740d6624241cbc36b60c2b2505a7d268ce3 Mon Sep 17 00:00:00 2001 From: fearful-symmetry Date: Tue, 13 Aug 2024 14:05:48 -0700 Subject: [PATCH 1/7] set map_to_ecs to true by default --- packages/network_traffic/changelog.yml | 5 +++++ packages/network_traffic/data_stream/amqp/manifest.yml | 1 + packages/network_traffic/data_stream/cassandra/manifest.yml | 1 + packages/network_traffic/data_stream/dhcpv4/manifest.yml | 1 + packages/network_traffic/data_stream/dns/manifest.yml | 1 + packages/network_traffic/data_stream/flow/manifest.yml | 1 + packages/network_traffic/data_stream/http/manifest.yml | 1 + packages/network_traffic/data_stream/icmp/manifest.yml | 1 + packages/network_traffic/data_stream/memcached/manifest.yml | 1 + packages/network_traffic/data_stream/mongodb/manifest.yml | 1 + packages/network_traffic/data_stream/mysql/manifest.yml | 1 + packages/network_traffic/data_stream/nfs/manifest.yml | 1 + packages/network_traffic/data_stream/pgsql/manifest.yml | 1 + packages/network_traffic/data_stream/redis/manifest.yml | 1 + packages/network_traffic/data_stream/sip/manifest.yml | 1 + packages/network_traffic/data_stream/thrift/manifest.yml | 1 + packages/network_traffic/data_stream/tls/manifest.yml | 1 + packages/network_traffic/manifest.yml | 2 +- 18 files changed, 22 insertions(+), 1 deletion(-) diff --git a/packages/network_traffic/changelog.yml b/packages/network_traffic/changelog.yml index 8f744c24649..6c071f072c2 100644 --- a/packages/network_traffic/changelog.yml +++ b/packages/network_traffic/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.32.0" + changes: + - description: Set `map_to_ecs` to enabled by default + type: enhancement + link: https://github.com/elastic/integrations/issues/10059 - version: "1.31.0" changes: - description: Expose `with_vlans` and `ignore_outgoing` diff --git a/packages/network_traffic/data_stream/amqp/manifest.yml b/packages/network_traffic/data_stream/amqp/manifest.yml index 0bb2d7afa49..8ca763fcd24 100644 --- a/packages/network_traffic/data_stream/amqp/manifest.yml +++ b/packages/network_traffic/data_stream/amqp/manifest.yml @@ -130,6 +130,7 @@ streams: show_user: true multi: false required: false + default: true title: AMQP description: Capture AMQP Traffic template_path: amqp.yml.hbs diff --git a/packages/network_traffic/data_stream/cassandra/manifest.yml b/packages/network_traffic/data_stream/cassandra/manifest.yml index 7ba1ff6cc6d..36ffbd2daa8 100644 --- a/packages/network_traffic/data_stream/cassandra/manifest.yml +++ b/packages/network_traffic/data_stream/cassandra/manifest.yml @@ -117,6 +117,7 @@ streams: show_user: true multi: false required: false + default: true title: Cassandra description: Capture Cassandra Traffic template_path: cassandra.yml.hbs diff --git a/packages/network_traffic/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/data_stream/dhcpv4/manifest.yml index 1aa7607adf5..94ac9799cb8 100644 --- a/packages/network_traffic/data_stream/dhcpv4/manifest.yml +++ b/packages/network_traffic/data_stream/dhcpv4/manifest.yml @@ -65,6 +65,7 @@ streams: show_user: true multi: false required: false + default: true title: DHCP description: Capture DHCP Traffic template_path: dhcpv4.yml.hbs diff --git a/packages/network_traffic/data_stream/dns/manifest.yml b/packages/network_traffic/data_stream/dns/manifest.yml index c8f5a2f50de..5def63d5446 100644 --- a/packages/network_traffic/data_stream/dns/manifest.yml +++ b/packages/network_traffic/data_stream/dns/manifest.yml @@ -120,6 +120,7 @@ streams: show_user: true multi: false required: false + default: true title: DNS description: Capture DNS Traffic template_path: dns.yml.hbs diff --git a/packages/network_traffic/data_stream/flow/manifest.yml b/packages/network_traffic/data_stream/flow/manifest.yml index ed73beef964..7deac984815 100644 --- a/packages/network_traffic/data_stream/flow/manifest.yml +++ b/packages/network_traffic/data_stream/flow/manifest.yml @@ -65,3 +65,4 @@ streams: show_user: true multi: false required: false + default: true diff --git a/packages/network_traffic/data_stream/http/manifest.yml b/packages/network_traffic/data_stream/http/manifest.yml index 2ad867128c8..10fbc4846e7 100644 --- a/packages/network_traffic/data_stream/http/manifest.yml +++ b/packages/network_traffic/data_stream/http/manifest.yml @@ -190,6 +190,7 @@ streams: show_user: true multi: false required: false + default: true title: HTTP description: Capture HTTP Traffic template_path: http.yml.hbs diff --git a/packages/network_traffic/data_stream/icmp/manifest.yml b/packages/network_traffic/data_stream/icmp/manifest.yml index 5476bf1833d..4c150fe8866 100644 --- a/packages/network_traffic/data_stream/icmp/manifest.yml +++ b/packages/network_traffic/data_stream/icmp/manifest.yml @@ -58,3 +58,4 @@ streams: show_user: true multi: false required: false + default: true diff --git a/packages/network_traffic/data_stream/memcached/manifest.yml b/packages/network_traffic/data_stream/memcached/manifest.yml index 8bb55cbbbce..7a8447d27ba 100644 --- a/packages/network_traffic/data_stream/memcached/manifest.yml +++ b/packages/network_traffic/data_stream/memcached/manifest.yml @@ -141,6 +141,7 @@ streams: show_user: true multi: false required: false + default: true title: Memcached description: Capture Memcached Traffic template_path: memcached.yml.hbs diff --git a/packages/network_traffic/data_stream/mongodb/manifest.yml b/packages/network_traffic/data_stream/mongodb/manifest.yml index 0ac427c7089..0417d397ab9 100644 --- a/packages/network_traffic/data_stream/mongodb/manifest.yml +++ b/packages/network_traffic/data_stream/mongodb/manifest.yml @@ -111,6 +111,7 @@ streams: show_user: true multi: false required: false + default: true title: MongoDB description: Capture MongoDB Traffic template_path: mongodb.yml.hbs diff --git a/packages/network_traffic/data_stream/mysql/manifest.yml b/packages/network_traffic/data_stream/mysql/manifest.yml index e6de4480a9b..34b106f3206 100644 --- a/packages/network_traffic/data_stream/mysql/manifest.yml +++ b/packages/network_traffic/data_stream/mysql/manifest.yml @@ -92,6 +92,7 @@ streams: show_user: true multi: false required: false + default: true title: MySQL description: Capture MySQL Traffic template_path: mysql.yml.hbs diff --git a/packages/network_traffic/data_stream/nfs/manifest.yml b/packages/network_traffic/data_stream/nfs/manifest.yml index 279a6783ba6..7e150ddab0b 100644 --- a/packages/network_traffic/data_stream/nfs/manifest.yml +++ b/packages/network_traffic/data_stream/nfs/manifest.yml @@ -92,6 +92,7 @@ streams: show_user: true multi: false required: false + default: true title: NFS description: Capture NFS Traffic template_path: nfs.yml.hbs diff --git a/packages/network_traffic/data_stream/pgsql/manifest.yml b/packages/network_traffic/data_stream/pgsql/manifest.yml index 4d03ad0cdb8..54986404131 100644 --- a/packages/network_traffic/data_stream/pgsql/manifest.yml +++ b/packages/network_traffic/data_stream/pgsql/manifest.yml @@ -92,6 +92,7 @@ streams: show_user: true multi: false required: false + default: true title: PostgreSQL description: Capture PostgreSQL Traffic template_path: pgsql.yml.hbs diff --git a/packages/network_traffic/data_stream/redis/manifest.yml b/packages/network_traffic/data_stream/redis/manifest.yml index b8d8042e004..f29675ff2d5 100644 --- a/packages/network_traffic/data_stream/redis/manifest.yml +++ b/packages/network_traffic/data_stream/redis/manifest.yml @@ -111,6 +111,7 @@ streams: show_user: true multi: false required: false + default: true title: Redis description: Capture Redis Traffic template_path: redis.yml.hbs diff --git a/packages/network_traffic/data_stream/sip/manifest.yml b/packages/network_traffic/data_stream/sip/manifest.yml index d465123ed08..6a8c120e376 100644 --- a/packages/network_traffic/data_stream/sip/manifest.yml +++ b/packages/network_traffic/data_stream/sip/manifest.yml @@ -86,6 +86,7 @@ streams: show_user: true multi: false required: false + default: true title: SIP description: Capture SIP Traffic template_path: sip.yml.hbs diff --git a/packages/network_traffic/data_stream/thrift/manifest.yml b/packages/network_traffic/data_stream/thrift/manifest.yml index e233a99a875..ff933e5c572 100644 --- a/packages/network_traffic/data_stream/thrift/manifest.yml +++ b/packages/network_traffic/data_stream/thrift/manifest.yml @@ -166,6 +166,7 @@ streams: show_user: true multi: false required: false + default: true title: Thrift description: Capture Thrift Traffic template_path: thrift.yml.hbs diff --git a/packages/network_traffic/data_stream/tls/manifest.yml b/packages/network_traffic/data_stream/tls/manifest.yml index 4eaebadfca0..565faccf81b 100644 --- a/packages/network_traffic/data_stream/tls/manifest.yml +++ b/packages/network_traffic/data_stream/tls/manifest.yml @@ -92,6 +92,7 @@ streams: show_user: true multi: false required: false + default: true title: TLS description: Capture TLS Traffic template_path: tls.yml.hbs diff --git a/packages/network_traffic/manifest.yml b/packages/network_traffic/manifest.yml index b1d4aabe2b6..01aecf2675a 100644 --- a/packages/network_traffic/manifest.yml +++ b/packages/network_traffic/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: network_traffic title: Network Packet Capture -version: "1.31.0" +version: "1.32.0" description: Capture and analyze network traffic from a host with Elastic Agent. type: integration categories: From acc861a1033d9624d089830879cc7cd25d9e5778 Mon Sep 17 00:00:00 2001 From: fearful-symmetry Date: Tue, 13 Aug 2024 14:16:26 -0700 Subject: [PATCH 2/7] update changelog --- packages/network_traffic/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/network_traffic/changelog.yml b/packages/network_traffic/changelog.yml index 6c071f072c2..68779b5617a 100644 --- a/packages/network_traffic/changelog.yml +++ b/packages/network_traffic/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Set `map_to_ecs` to enabled by default type: enhancement - link: https://github.com/elastic/integrations/issues/10059 + link: https://github.com/elastic/integrations/issues/10785 - version: "1.31.0" changes: - description: Expose `with_vlans` and `ignore_outgoing` From 905d02961ee0c52ad12a53d2ccd6857ed633c9e3 Mon Sep 17 00:00:00 2001 From: fearful-symmetry Date: Wed, 14 Aug 2024 10:20:13 -0700 Subject: [PATCH 3/7] update mongodb fields --- .../network_traffic/data_stream/mongodb/fields/protocol.yml | 4 ++-- .../data_stream/mongodb/fields/protocol_ecs.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/network_traffic/data_stream/mongodb/fields/protocol.yml b/packages/network_traffic/data_stream/mongodb/fields/protocol.yml index a84465c61ea..d9315b4f3c2 100644 --- a/packages/network_traffic/data_stream/mongodb/fields/protocol.yml +++ b/packages/network_traffic/data_stream/mongodb/fields/protocol.yml @@ -27,7 +27,7 @@ The number of documents in the reply. - name: startingFrom - type: keyword + type: long description: > Where in the cursor this reply is starting. @@ -52,7 +52,7 @@ A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. - name: cursorId - type: keyword + type: long description: > The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. diff --git a/packages/network_traffic/data_stream/mongodb/fields/protocol_ecs.yml b/packages/network_traffic/data_stream/mongodb/fields/protocol_ecs.yml index 2aaf82486b5..95ffb8bb7d0 100644 --- a/packages/network_traffic/data_stream/mongodb/fields/protocol_ecs.yml +++ b/packages/network_traffic/data_stream/mongodb/fields/protocol_ecs.yml @@ -37,7 +37,7 @@ The number of documents in the reply. - name: startingFrom - type: keyword + type: long description: > Where in the cursor this reply is starting. @@ -62,7 +62,7 @@ A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. - name: cursorId - type: keyword + type: long description: > The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. From aa80bb1b0ce60b0d87bc18085a742f2f00e39db4 Mon Sep 17 00:00:00 2001 From: fearful-symmetry Date: Wed, 14 Aug 2024 10:42:25 -0700 Subject: [PATCH 4/7] update docs --- packages/network_traffic/docs/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/network_traffic/docs/README.md b/packages/network_traffic/docs/README.md index da835c26c57..7e65241a71e 100644 --- a/packages/network_traffic/docs/README.md +++ b/packages/network_traffic/docs/README.md @@ -3121,7 +3121,7 @@ Fields published for MongoDB packets. | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | keyword | +| mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | long | | mongodb.error | If the MongoDB request has resulted in an error, this field contains the error message returned by the server. | keyword | | mongodb.fullCollectionName | The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. | keyword | | mongodb.numberReturned | The number of documents in the reply. | long | @@ -3130,7 +3130,7 @@ Fields published for MongoDB packets. | mongodb.query | A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. | keyword | | mongodb.returnFieldsSelector | A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. | keyword | | mongodb.selector | A BSON document that specifies the query for selecting the document to update or delete. | keyword | -| mongodb.startingFrom | Where in the cursor this reply is starting. | keyword | +| mongodb.startingFrom | Where in the cursor this reply is starting. | long | | mongodb.update | A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | | network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | @@ -3139,7 +3139,7 @@ Fields published for MongoDB packets. | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| network_traffic.mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | keyword | +| network_traffic.mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | long | | network_traffic.mongodb.error | If the MongoDB request has resulted in an error, this field contains the error message returned by the server. | keyword | | network_traffic.mongodb.fullCollectionName | The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. | keyword | | network_traffic.mongodb.method | The command/verb/method of the transaction. | keyword | @@ -3150,7 +3150,7 @@ Fields published for MongoDB packets. | network_traffic.mongodb.resource | The logical resource that this transaction refers to. | keyword | | network_traffic.mongodb.returnFieldsSelector | A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. | keyword | | network_traffic.mongodb.selector | A BSON document that specifies the query for selecting the document to update or delete. | keyword | -| network_traffic.mongodb.startingFrom | Where in the cursor this reply is starting. | keyword | +| network_traffic.mongodb.startingFrom | Where in the cursor this reply is starting. | long | | network_traffic.mongodb.update | A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. | keyword | | network_traffic.status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | | observer.hostname | Hostname of the observer. | keyword | From 2137e3306caaafc35bcec4681c899cf303c3236b Mon Sep 17 00:00:00 2001 From: fearful-symmetry Date: Wed, 21 Aug 2024 07:28:09 -0700 Subject: [PATCH 5/7] fix changelog --- packages/network_traffic/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/network_traffic/changelog.yml b/packages/network_traffic/changelog.yml index 68779b5617a..22d240edc5c 100644 --- a/packages/network_traffic/changelog.yml +++ b/packages/network_traffic/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Set `map_to_ecs` to enabled by default type: enhancement - link: https://github.com/elastic/integrations/issues/10785 + link: https://github.com/elastic/integrations/pull/10785 - version: "1.31.0" changes: - description: Expose `with_vlans` and `ignore_outgoing` From 7aa6dbc18ffc177cc8c05c8082e535d06ce075cd Mon Sep 17 00:00:00 2001 From: fearful-symmetry Date: Thu, 22 Aug 2024 08:20:05 -0700 Subject: [PATCH 6/7] revert name changes, try to get test working --- .../_dev/test/system/test-mongo-3-0-session-config.yml | 2 ++ .../network_traffic/data_stream/mongodb/fields/protocol.yml | 4 ++-- .../data_stream/mongodb/fields/protocol_ecs.yml | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/packages/network_traffic/data_stream/mongodb/_dev/test/system/test-mongo-3-0-session-config.yml b/packages/network_traffic/data_stream/mongodb/_dev/test/system/test-mongo-3-0-session-config.yml index f3768b9668a..c429d18fd0d 100644 --- a/packages/network_traffic/data_stream/mongodb/_dev/test/system/test-mongo-3-0-session-config.yml +++ b/packages/network_traffic/data_stream/mongodb/_dev/test/system/test-mongo-3-0-session-config.yml @@ -4,5 +4,7 @@ input: packet numeric_keyword_fields: - mongodb.cursorId - mongodb.startingFrom + - network_traffic.mongodb.cursorId + - network_traffic.mongodb.startingFrom data_stream: vars: ~ diff --git a/packages/network_traffic/data_stream/mongodb/fields/protocol.yml b/packages/network_traffic/data_stream/mongodb/fields/protocol.yml index d9315b4f3c2..a84465c61ea 100644 --- a/packages/network_traffic/data_stream/mongodb/fields/protocol.yml +++ b/packages/network_traffic/data_stream/mongodb/fields/protocol.yml @@ -27,7 +27,7 @@ The number of documents in the reply. - name: startingFrom - type: long + type: keyword description: > Where in the cursor this reply is starting. @@ -52,7 +52,7 @@ A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. - name: cursorId - type: long + type: keyword description: > The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. diff --git a/packages/network_traffic/data_stream/mongodb/fields/protocol_ecs.yml b/packages/network_traffic/data_stream/mongodb/fields/protocol_ecs.yml index 95ffb8bb7d0..2aaf82486b5 100644 --- a/packages/network_traffic/data_stream/mongodb/fields/protocol_ecs.yml +++ b/packages/network_traffic/data_stream/mongodb/fields/protocol_ecs.yml @@ -37,7 +37,7 @@ The number of documents in the reply. - name: startingFrom - type: long + type: keyword description: > Where in the cursor this reply is starting. @@ -62,7 +62,7 @@ A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. - name: cursorId - type: long + type: keyword description: > The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. From 8382ae839a5ea85c45efc12a3cd785fe7d42027b Mon Sep 17 00:00:00 2001 From: fearful-symmetry Date: Thu, 22 Aug 2024 09:43:19 -0700 Subject: [PATCH 7/7] upate readme --- packages/network_traffic/docs/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/network_traffic/docs/README.md b/packages/network_traffic/docs/README.md index 7e65241a71e..da835c26c57 100644 --- a/packages/network_traffic/docs/README.md +++ b/packages/network_traffic/docs/README.md @@ -3121,7 +3121,7 @@ Fields published for MongoDB packets. | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | long | +| mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | keyword | | mongodb.error | If the MongoDB request has resulted in an error, this field contains the error message returned by the server. | keyword | | mongodb.fullCollectionName | The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. | keyword | | mongodb.numberReturned | The number of documents in the reply. | long | @@ -3130,7 +3130,7 @@ Fields published for MongoDB packets. | mongodb.query | A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. | keyword | | mongodb.returnFieldsSelector | A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. | keyword | | mongodb.selector | A BSON document that specifies the query for selecting the document to update or delete. | keyword | -| mongodb.startingFrom | Where in the cursor this reply is starting. | long | +| mongodb.startingFrom | Where in the cursor this reply is starting. | keyword | | mongodb.update | A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | | network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | @@ -3139,7 +3139,7 @@ Fields published for MongoDB packets. | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| network_traffic.mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | long | +| network_traffic.mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | keyword | | network_traffic.mongodb.error | If the MongoDB request has resulted in an error, this field contains the error message returned by the server. | keyword | | network_traffic.mongodb.fullCollectionName | The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. | keyword | | network_traffic.mongodb.method | The command/verb/method of the transaction. | keyword | @@ -3150,7 +3150,7 @@ Fields published for MongoDB packets. | network_traffic.mongodb.resource | The logical resource that this transaction refers to. | keyword | | network_traffic.mongodb.returnFieldsSelector | A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. | keyword | | network_traffic.mongodb.selector | A BSON document that specifies the query for selecting the document to update or delete. | keyword | -| network_traffic.mongodb.startingFrom | Where in the cursor this reply is starting. | long | +| network_traffic.mongodb.startingFrom | Where in the cursor this reply is starting. | keyword | | network_traffic.mongodb.update | A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. | keyword | | network_traffic.status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | | observer.hostname | Hostname of the observer. | keyword |