zeek: use dynamic mapping for object fields (#8080)

efd6 · web-flow · commit cc5374c41468 · 2023-10-05T06:16:27.000+10:30
diff --git a/packages/zeek/changelog.yml b/packages/zeek/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: 2.19.0
+  changes:
+    - description: Use dynamic mappings for object fields.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/8080
 - version: 2.18.0
   changes:
     - description: Modified the field definitions to reference ECS where possible and remove invalid field attributes.
diff --git a/packages/zeek/data_stream/intel/fields/fields.yml b/packages/zeek/data_stream/intel/fields/fields.yml
@@ -32,8 +32,10 @@
           type: keyword
           description: |
             If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out.
-        - name: f
+        - name: f.*
           type: object
+          object_type: keyword
+          object_type_mapping_type: '*'
           description: |
             If the data was discovered within a file, the file record should go here to provide context to the data.
         - name: fuid
diff --git a/packages/zeek/docs/README.md b/packages/zeek/docs/README.md
@@ -1200,7 +1200,7 @@ intelligence data matches.
 | zeek.intel.fuid | If a file was associated with this intelligence hit, this is the uid for the file. | keyword |
 | zeek.intel.matched | Event to represent a match in the intelligence data from data that was seen. | keyword |
 | zeek.intel.seen.conn | If the data was discovered within a connection, the connection record should go here to give context to the data. | keyword |
-| zeek.intel.seen.f | If the data was discovered within a file, the file record should go here to provide context to the data. | object |
+| zeek.intel.seen.f.\* | If the data was discovered within a file, the file record should go here to provide context to the data. | object |
 | zeek.intel.seen.fuid | If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. | keyword |
 | zeek.intel.seen.host | If the indicator type was Intel::ADDR, then this field will be present. | keyword |
 | zeek.intel.seen.indicator | The intelligence indicator. | keyword |
diff --git a/packages/zeek/manifest.yml b/packages/zeek/manifest.yml
@@ -1,6 +1,6 @@
 name: zeek
 title: Zeek
-version: "2.18.0"
+version: "2.19.0"
 description: Collect logs from Zeek with Elastic Agent.
 type: integration
 icons:
