mirror of
https://github.com/certat/intelmq-docker.git
synced 2025-12-06 17:22:57 +01:00
39 lines
1.1 KiB
Python
39 lines
1.1 KiB
Python
# SPDX-FileCopyrightText: 2021 Birger Schacht
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
import json
|
|
from intelmq.lib.bot import Bot
|
|
|
|
|
|
class ECSExpertBot(Bot):
|
|
"""Write some fields to the output field in ECS format"""
|
|
|
|
def process(self):
|
|
msg = self.receive_message()
|
|
|
|
ecs = {}
|
|
|
|
# If the event source has no original timestamp, this value is
|
|
# typically populated by the first time the event was received by the
|
|
# pipeline.
|
|
# (https://www.elastic.co/guide/en/ecs/current/ecs-base.html)
|
|
ecs['@timestamp'] = msg['time.source'] if 'time.source' in msg else msg['time.observation']
|
|
|
|
if 'feed.provider' in msg:
|
|
ecs['event.provider'] = msg['feed.provider']
|
|
if 'source.ip' in msg:
|
|
ecs['server.ip'] = msg['source.ip']
|
|
if 'source.fqdn' in msg:
|
|
ecs['server.domain'] = msg['source.fqdn']
|
|
if 'feed.name' in msg:
|
|
ecs['event.dataset'] = msg['feed.name']
|
|
|
|
msg.add("output", json.dumps(ecs))
|
|
|
|
self.send_message(msg)
|
|
self.acknowledge_message()
|
|
|
|
|
|
BOT = ECSExpertBot
|