CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 09:42:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #906 from Security-Onion-Solutions/fix/ingest_parsing

Browse Source 
Fix/ingest parsing
This commit is contained in:
weslambert
2020-06-29 23:07:22 -04:00
committed by GitHub
parent 46d58acdd9 84e2965fef
commit 0b7026a11e
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/elasticsearch/files/ingest/zeek.dns
View File

@@ -23,7 +23,7 @@
{ "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } }, { "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } },
{ "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } }, { "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } },
{ "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } }, { "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } },
{ "pipeline": { "if": "ctx.dns.query.name.contains('.')", "name": "zeek.dns.tld"} }, { "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "zeek.dns.tld" } },
{ "pipeline": { "name": "zeek.common" } } { "pipeline": { "name": "zeek.common" } }
] ]
} }

4
salt/elasticsearch/files/ingest/zeek.kerberos
View File

@@ -13,9 +13,9 @@
{ "rename": { "field": "message2.cipher", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } }, { "rename": { "field": "message2.cipher", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } },
{ "rename": { "field": "message2.forwardable", "target_field": "kerberos.ticket.forwardable", "ignore_missing": true } }, { "rename": { "field": "message2.forwardable", "target_field": "kerberos.ticket.forwardable", "ignore_missing": true } },
{ "rename": { "field": "message2.renewable", "target_field": "kerberos.ticket.renewable", "ignore_missing": true } }, { "rename": { "field": "message2.renewable", "target_field": "kerberos.ticket.renewable", "ignore_missing": true } },
{ "rename": { "field": "message2.client_cert_subject", "target_field": "kerberos.client.certificate.subject", "ignore_missing": true } }, { "rename": { "field": "message2.client_cert_subject", "target_field": "kerberos.client_certificate_subject", "ignore_missing": true } },
{ "rename": { "field": "message2.client_cert_fuid", "target_field": "log.id.client_certificate_fuid", "ignore_missing": true } }, { "rename": { "field": "message2.client_cert_fuid", "target_field": "log.id.client_certificate_fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.server_cert_subject", "target_field": "kerberos.server.certificate.subject", "ignore_missing": true } }, { "rename": { "field": "message2.server_cert_subject", "target_field": "kerberos.server_certificate_subject", "ignore_missing": true } },
{ "rename": { "field": "message2.server_cert_fuid", "target_field": "log.id.server_certificate_fuid", "ignore_missing": true } }, { "rename": { "field": "message2.server_cert_fuid", "target_field": "log.id.server_certificate_fuid", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } } { "pipeline": { "name": "zeek.common" } }
] ]