CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-24 09:53:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

Ensure ICS/SCADA pipelines are present

Browse Source
This commit is contained in:
Wes
2022-12-06 15:58:47 +00:00
parent 7e102949a6
commit 14af1d36cb
67 changed files with 758 additions and 196 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session Normal file
View File

@@ -0,0 +1,19 @@
{
"description" : "zeek.opcua_binary_create_session",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.session_id_encoding_mask", "target_field": "opcua.session_id_encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.session_id_namespace_idx", "target_field": "opcua.session_id_namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.session_id_guid", "target_field": "opcua.session_id_guid", "ignore_missing": true } },
{ "rename": { "field": "message2.auth_token_encoding_mask", "target_field": "opcua.auth_token_encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.auth_token_namespace_idx", "target_field": "opcua.auth_token_namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.auth_token_guid", "target_field": "opcua.auth_token_guid", "ignore_missing": true } },
{ "rename": { "field": "message2.revised_session_timeout", "target_field": "opcua.revised_session_timeout", "ignore_missing": true } },
{ "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } },
{ "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.max_req_msg_size", "target_field": "opcua.request.max_message_size", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}