Add support for dns.resolved_ip

2025-12-06 09:12:45 +01:00 · 2025-06-20 15:02:59 -04:00
parent 92e9bd43ca
commit 31cd5b1365
2 changed files with 12 additions and 2 deletions
--- a/salt/elasticsearch/files/ingest/zeek.dns
+++ b/salt/elasticsearch/files/ingest/zeek.dns
@@ -20,7 +20,8 @@
    { "rename": 	{ "field": "message2.RD", 		"target_field": "dns.recursion.desired",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.RA", 		"target_field": "dns.recursion.available",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.Z",		"target_field": "dns.reserved",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.answers", 		"target_field": "dns.answers.name",		"ignore_missing": true 	} },
+    { "rename":  	{ "field": "message2.answers", 		"target_field": "dns.answers.name", 		"ignore_missing": true  	} },
+    { "script": { "lang": "painless", "if": "ctx.dns != null && ctx.dns.answers != null && ctx.dns.answers.name != null", "source": "def ips = []; for (item in ctx.dns.answers.name) { if (item =~ /^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$/ || item =~ /^([a-fA-F0-9:]+:+)+[a-fA-F0-9]+$/) { ips.add(item); } } ctx.dns.resolved_ip = ips;" } },
    { "rename": 	{ "field": "message2.TTLs", 		"target_field": "dns.ttls",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.rejected", 	"target_field": "dns.query.rejected",		"ignore_missing": true 	} },
    { "script": 	{ "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()",	"ignore_failure": true  } },
@@ -28,4 +29,4 @@
    { "pipeline": { "if": "ctx.dns?.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld" } },
    { "pipeline":       { "name": "zeek.common"											} }
  ]
-}
+}
--- a/salt/soc/files/soc/sigma_so_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -190,6 +190,15 @@ transformations:
      - type: logsource
        category: network
        service: dns
+    # Maps "network + http" to SO HTTP logs
+    - id: network_http_so_add-fields
+      type: add_condition
+      conditions:
+        tags: 'http'
+      rule_conditions:
+      - type: logsource
+        category: network
+        service: http
    # Maps "network + file" to SO file logs
    - id: network_file_so_add-fields
      type: add_condition