ENH: Test new feature

Signed-off-by: Sebastian Waldbauer <waldbauer@cert.at>

custom_bots/ecs/expert

@@ -0,0 +1,33 @@
+#!/usr/bin/python3
+# EASY-INSTALL-ENTRY-SCRIPT: 'intelmq==3.0.1b1','console_scripts','intelmq.bots.experts.ecs.expert'
+import re
+import sys
+
+# for compatibility with easy_install; see #2198
+__requires__ = 'intelmq==3.0.1b1'
+
+try:
+    from importlib.metadata import distribution
+except ImportError:
+    try:
+        from importlib_metadata import distribution
+    except ImportError:
+        from pkg_resources import load_entry_point
+
+
+def importlib_load_entry_point(spec, group, name):
+    dist_name, _, _ = spec.partition('==')
+    matches = (
+        entry_point
+        for entry_point in distribution(dist_name).entry_points
+        if entry_point.group == group and entry_point.name == name
+    )
+    return next(matches).load()
+
+
+globals().setdefault('load_entry_point', importlib_load_entry_point)
+
+
+if __name__ == '__main__':
+    sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0])
+    sys.exit(load_entry_point('intelmq==3.0.1b1', 'console_scripts', 'intelmq.bots.experts.ecs.expert')())

custom_bots/ecs/expert.py

@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2021 Birger Schacht
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+import json
+from intelmq.lib.bot import Bot
+
+
+class ECSExpertBot(Bot):
+    """Write some fields to the output field in ECS format"""
+
+    def process(self):
+        msg = self.receive_message()
+
+        ecs = {}
+
+        # If the event source has no original timestamp, this value is
+        # typically populated by the first time the event was received by the
+        # pipeline.
+        # (https://www.elastic.co/guide/en/ecs/current/ecs-base.html)
+        ecs['@timestamp'] = msg['time.source'] if 'time.source' in msg else msg['time.observation']
+
+        if 'feed.provider' in msg:
+            ecs['event.provider'] = msg['feed.provider']
+        if 'source.ip' in msg:
+            ecs['server.ip'] = msg['source.ip']
+        if 'source.fqdn' in msg:
+            ecs['server.domain'] = msg['source.fqdn']
+        if 'feed.name' in msg:
+            ecs['event.dataset'] = msg['feed.name']
+
+        msg.add("output", json.dumps(ecs))
+
+        self.send_message(msg)
+        self.acknowledge_message()
+
+
+BOT = ECSExpertBot

docker-compose.yml

@@ -26,6 +26,9 @@ services:
             - ./example_config/intelmq-api/config.json:/etc/intelmq/api-config.json
             - ./intelmq_logs:/opt/intelmq/var/log
             - ./intelmq_output:/opt/intelmq/var/lib/bots
+
+            - ./custom_bots/ecs/expert:/usr/local/bin/intelmq.bots.experts.ecs.expert:rx
+            - ./custom_bots/ecs/expert.py:/etc/intelmq/intelmq/bots/experts/ecs/expert.py:ro
         depends_on:
             - redis
         environment: