Filebeat Netflow module - add post_nat_source_ipv4_address & ip_next_hop_ipv4_address to related.ip

[leweafan]

Describe the enhancement:

Add ip fields below to related.ip for netflow module:

• netflow.post_nat_source_ipv4_address
• netflow.ip_next_hop_ipv4_address
• netflow.post_nat_destination_ipv4_address

According to ECS field description:

All of the IPs seen on your event.

Describe a specific use case for the enhancement or feature:

Missing ip in related.ip affects security issues discovery cause you can't be sure that all event' ip indeed present in related.ip.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[leweafan]

Seems that related.ip not added by ingest pipeline but by filebeat here and fields names:

• postNATSourceIPv4Address (post_nat_source_ipv4_address)
• postNATDestinationIPv4Address (post_nat_destination_ipv4_address)
• ipNextHopIPv4Address (ip_next_hop_ipv4_address)

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)