[suricata] Make suricata package GA with v1.0.0 (#1216)

* Make suricata package GA with v1.0.0

* Set event.module and event.dataset

packages/suricata/changelog.yml

@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "1.0.0"
+  changes:
+    - description: make GA
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1216
+    - description: Set "event.module" and "event.dataset"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1216
 - version: "0.6.3"
   changes:
     - description: Use `wildcard` field type.

packages/suricata/data_stream/eve/fields/base-fields.yml

@@ -7,6 +7,14 @@
 - name: data_stream.namespace
   type: constant_keyword
   description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: suricata
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: suricata.eve
 - name: '@timestamp'
   type: date
   description: Event timestamp.

packages/suricata/data_stream/eve/manifest.yml

@@ -1,6 +1,5 @@
 type: logs
 title: Suricata eve logs
-release: experimental
 streams:
   - input: logfile
     vars:

packages/suricata/docs/README.md

@@ -15,7 +15,7 @@ with other versions of Suricata.
 
 | Field | Description | Type |
 |---|---|---|
-| @timestamp | Event timestamp. | date |
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
 | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
 | cloud.availability_zone | Availability zone in which this host is running. | keyword |
 | cloud.image.id | Image ID for the cloud instance. | keyword |
@@ -68,9 +68,11 @@ with other versions of Suricata.
 | dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword |
 | ecs.version | ECS version this event conforms to. | keyword |
 | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
 | event.duration | Duration of the event in nanoseconds. | long |
 | event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
 | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date |
+| event.module | Event module | constant_keyword |
 | event.original | Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. | keyword |
 | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
 | event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |

packages/suricata/manifest.yml

@@ -1,7 +1,7 @@
 name: suricata
 title: Suricata
-version: 0.6.3
-release: experimental
+version: 1.0.0
+release: ga
 description: Suricata Integration
 type: integration
 icons:
@@ -13,7 +13,7 @@ format_version: 1.0.0
 license: basic
 categories: [network, security]
 conditions:
-  kibana.version: "^7.13.0"
+  kibana.version: "^7.14.0"
 screenshots:
   - src: /img/filebeat-suricata-events.png
     title: filebeat suricata events