From 80a3942245b291a8168815c6f486bba8fc66f586 Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 22 Jan 2024 20:15:48 +0000 Subject: [PATCH 1/3] Rename RITA pipelines --- salt/elasticsearch/files/ingest/{rita.beacon => rita.beacons} | 0 .../files/ingest/{rita.connection => rita.connections} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename salt/elasticsearch/files/ingest/{rita.beacon => rita.beacons} (100%) rename salt/elasticsearch/files/ingest/{rita.connection => rita.connections} (100%) diff --git a/salt/elasticsearch/files/ingest/rita.beacon b/salt/elasticsearch/files/ingest/rita.beacons similarity index 100% rename from salt/elasticsearch/files/ingest/rita.beacon rename to salt/elasticsearch/files/ingest/rita.beacons diff --git a/salt/elasticsearch/files/ingest/rita.connection b/salt/elasticsearch/files/ingest/rita.connections similarity index 100% rename from salt/elasticsearch/files/ingest/rita.connection rename to salt/elasticsearch/files/ingest/rita.connections From b08db3e05a7a038a69cf34d3511a729959e2c243 Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 22 Jan 2024 20:16:43 +0000 Subject: [PATCH 2/3] Add RITA policy --- .../grid-nodes_general/rita-logs.json | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 salt/elasticfleet/files/integrations/grid-nodes_general/rita-logs.json diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/rita-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/rita-logs.json new file mode 100644 index 000000000..4dc46e8e2 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/rita-logs.json @@ -0,0 +1,34 @@ +{ + "package": { + "name": "log", + "version": "2.3.0" + }, + "name": "rita-logs", + "namespace": "so", + "description": "RITA Logs", + "policy_id": "so-grid-nodes_general", + "vars": {}, + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.logs": { + "enabled": true, + "vars": { + "paths": [ + "/nsm/rita/beacons.csv", + "/nsm/rita/exploded-dns.csv", + "/nsm/rita/long-connections.csv" + ], + "exclude_files": [], + "ignore_older": "72h", + "data_stream.dataset": "rita", + "tags": [], + "processors": "- dissect:\n tokenizer: \"/nsm/rita/%{pipeline}.csv\"\n field: \"log.file.path\"\n trim_chars: \".csv\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\").split(\"-\");\n if (pl.length > 1) {\n pl = pl[1];\n }\n else {\n pl = pl[0];\n }\n event.Put(\"@metadata.pipeline\", \"rita.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: rita", + "custom": "exclude_lines: ['^Score', '^Source', '^Domain', '^No results']" + } + } + } + } + } +} From 5542db0aac7d0c6467b028a284381597bbf8a350 Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 22 Jan 2024 21:07:46 +0000 Subject: [PATCH 3/3] Leave package version null --- .../files/integrations/grid-nodes_general/rita-logs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/rita-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/rita-logs.json index 4dc46e8e2..a97faaa5f 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/rita-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/rita-logs.json @@ -1,7 +1,7 @@ { "package": { "name": "log", - "version": "2.3.0" + "version": "" }, "name": "rita-logs", "namespace": "so",