Update Import and Zeek integration policies; also update Zeek ingest node pipelines to set event.dataset.

2025-12-07 09:42:46 +01:00 · 2023-01-23 21:44:46 +00:00
parent d342f3c4b8
commit 40c6b380df
113 changed files with 129 additions and 27 deletions
--- a/salt/elasticsearch/files/ingest/zeek.bacnet
+++ b/salt/elasticsearch/files/ingest/zeek.bacnet
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bacnet",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "bacnet" } },
    { "remove":         { "field": ["host"],								"ignore_failure": true	} },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.is_orig",		"target_field": "bacnet.is_orig",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.bacnet_discovery
+++ b/salt/elasticsearch/files/ingest/zeek.bacnet_discovery
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bacnet_discovery",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "bacnet_discovery" } },
    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
    { "rename":         { "field": "message2.is_orig",		"target_field": "bacnet.is_orig",		"ignore_missing": true  } },
--- a/salt/elasticsearch/files/ingest/zeek.bacnet_property
+++ b/salt/elasticsearch/files/ingest/zeek.bacnet_property
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bacnet_property",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "bacnet_property" } },
    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
    { "json":           { "field": "message",			"target_field": "message2",			"ignore_failure": true  } },
    { "rename":         { "field": "message2.is_orig",          "target_field": "bacnet.is_orig",         "ignore_missing": true  } },
--- a/salt/elasticsearch/files/ingest/zeek.bsap_ip_header
+++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_header
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bsap_ip_header",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "bsap_ip_header" } },
    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.num_msg",		"target_field": "bsap.number.messages",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb
+++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bsap_ip_rdb",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "bsap_ip_rdb" } },
    { "remove":         { "field": ["host"],										"ignore_failure": true	} },
    { "json":		{ "field": "message",			"target_field": "message2",				"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.header_size",	"target_field": "bsap.header.length",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown
+++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bsap_ip_unknown",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "bsap_ip_unknown" } },
    { "remove":         { "field": ["host"],							"ignore_failure": true	} },
    { "json":		{ "field": "message",		"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.data",	"target_field": "bsap.ip.unknown.data",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.bsap_serial_header
+++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_header
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bsap_serial_header",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "bsap_serial_header" } },
    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.ser",		"target_field": "bsap.message.serial_number",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb
+++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bsap_serial_rdb",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "bsap_serial_rdb" } },
    { "remove":         { "field": ["host"],									"ignore_failure": true  } },
    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.func_code",	"target_field": "bsap.rdb.function",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext
+++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bsap_serial_rdb_ext",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "bsap_serial_rdb_ext" } },
    { "remove":         { "field": ["host"],								"ignore_failure": true  } },
    { "json":		{ "field": "message",		"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.dfun",	"target_field": "bsap.destination.function",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown
+++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bsap_serial_unknown",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "bsap_serial_unknown" } },
    { "remove":         { "field": ["host"],								"ignore_failure": true  } },
    { "json":		{ "field": "message",		"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.data",	"target_field": "bsap.serial.unknown.data",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.cip
+++ b/salt/elasticsearch/files/ingest/zeek.cip
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.cip",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "cip" } },
    { "remove":         { "field": ["host"],											"ignore_failure": true	} },
    { "json":		{ "field": "message",				"target_field": "message2",				"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.is_orig",			"target_field": "cip.is_orig",			        "ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.cip_identity
+++ b/salt/elasticsearch/files/ingest/zeek.cip_identity
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.cip_identity",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "cip_identity" } },
    { "remove":         { "field": ["host"],										"ignore_failure": true	} },
    { "json":		{ "field": "message",				"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.encapsulation_version",	"target_field": "cip.encapsulation.version",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.cip_io
+++ b/salt/elasticsearch/files/ingest/zeek.cip_io
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.cip_io",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "cip_io" } },
    { "remove":         { "field": ["host"],								"ignore_failure": true	} },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.is_orig",		"target_field": "cip.is_orig",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.conn
+++ b/salt/elasticsearch/files/ingest/zeek.conn
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.conn",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "conn" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                              } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.cotp
+++ b/salt/elasticsearch/files/ingest/zeek.cotp
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.cotp",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "cotp" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.pdu_code", 		"target_field": "cotp.pdu.code",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.dce_rpc
+++ b/salt/elasticsearch/files/ingest/zeek.dce_rpc
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.dce_rpc",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "dce_rpc" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.rtt", 		"target_field": "event.duration",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.dhcp
+++ b/salt/elasticsearch/files/ingest/zeek.dhcp
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.dhcp",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "dhcp" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } }, 
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.uids", 	 	"target_field": "log.id.uids",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.dnp3
+++ b/salt/elasticsearch/files/ingest/zeek.dnp3
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.dnp3",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "dnp3" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.fc_request",	"target_field": "dnp3.fc_request",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.dnp3_control
+++ b/salt/elasticsearch/files/ingest/zeek.dnp3_control
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.dnp3_control",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "dnp3_control" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		        "ignore_failure": true	} },
    { "rename":         { "field": "message2.block_type",       "target_field": "dnp3.block_type",              "ignore_missing": true  } },
--- a/salt/elasticsearch/files/ingest/zeek.dnp3_objects
+++ b/salt/elasticsearch/files/ingest/zeek.dnp3_objects
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.dnp3_objects",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "dnp3_objects" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.function_code",	"target_field": "dnp3.function_code",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.dns
+++ b/salt/elasticsearch/files/ingest/zeek.dns
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.dns",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "dns" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.dpd
+++ b/salt/elasticsearch/files/ingest/zeek.dpd
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.dpd",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "dpd" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_aoe_info",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "ecat_aoe_info" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.targetid", 		"target_field": "destination.mac",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_arp_info
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_arp_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_arp_info",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "ecat_arp_info" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.arp_type", 		"target_field": "ecat.arp.type",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_coe_info
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_coe_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_coe_info",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "ecat_coe_info" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.number", 		"target_field": "ecat.message.number",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_dev_info
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_dev_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_dev_info",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "ecat_dev_info" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		          "ignore_failure": true	} },
    { "rename": 	{ "field": "message2.slave_id",         "target_field": "ecat.slave.address",		  "ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_foe_info
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_foe_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_foe_info",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "ecat_foe_info" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.opcode", 		"target_field": "ecat.operation.code",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_log_address
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_log_address
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_log_address",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "ecat_log_address" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.srcmac", 		"target_field": "source.mac",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_registers
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_registers
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_registers",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "ecat_registers" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.srcmac", 		"target_field": "source.mac",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_soe_info
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_soe_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_soe_info",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "ecat_soe_info" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.opcode", 		"target_field": "ecat.operation.code",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.enip
+++ b/salt/elasticsearch/files/ingest/zeek.enip
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.enip",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "enip" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.is_orig", 		"target_field": "enip.is_orig",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.files
+++ b/salt/elasticsearch/files/ingest/zeek.files
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.files",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "files" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.fuid", 	 	"target_field": "log.id.fuid",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ftp
+++ b/salt/elasticsearch/files/ingest/zeek.ftp
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ftp",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "ftp" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.user",		"target_field": "ftp.user",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.http
+++ b/salt/elasticsearch/files/ingest/zeek.http
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.http",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "http" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":           { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
    { "rename": 	{ "field": "message2.trans_depth",	"target_field": "http.trans_depth",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.intel
+++ b/salt/elasticsearch/files/ingest/zeek.intel
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.intel",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "intel" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "dot_expander":   { "field": "seen.indicator",    "path": "message2",                     "ignore_failure": true  } },
--- a/salt/elasticsearch/files/ingest/zeek.irc
+++ b/salt/elasticsearch/files/ingest/zeek.irc
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.irc",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "irc" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.nick", 		"target_field": "irc.nickname",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.kerberos
+++ b/salt/elasticsearch/files/ingest/zeek.kerberos
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.kerberos",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "kerberos" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.request_type", 	"target_field": "kerberos.request_type",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.modbus
+++ b/salt/elasticsearch/files/ingest/zeek.modbus
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.modbus",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "modbus" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.func", 		"target_field": "modbus.function",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.modbus_detailed
+++ b/salt/elasticsearch/files/ingest/zeek.modbus_detailed
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.modbus_detailed",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "modbus_detailed" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.unit_id", 		"target_field": "modbus.unit_id",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register
+++ b/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.modbus_mask_write_register",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "modbus_mask_write_register" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			 "target_field": "message2",		        "ignore_failure": true	} },
    { "rename": 	{ "field": "message2.unit_id", 		 "target_field": "modbus.unit_id",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers
+++ b/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.read_write_multiple_registers",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "modbus_read_write_multiple_registers" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.unit_id", 		"target_field": "modbus.unit_id",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.mysql
+++ b/salt/elasticsearch/files/ingest/zeek.mysql
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.mysql",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "mysql" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.cmd", 		"target_field": "mysql.command",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.notice
+++ b/salt/elasticsearch/files/ingest/zeek.notice
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.notice",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "notice" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.fuid", 		"target_field": "log.id.fuid",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ntlm
+++ b/salt/elasticsearch/files/ingest/zeek.ntlm
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ntlm",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "ntlm" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",				"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.hostname",			"target_field": "host.name",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.msg_type",			"target_field": "opcua.message_type",			"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_activate_session",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_activate_session" } },
    { "remove":   { "field": ["host"],                                                                                  "ignore_failure": true } },
    { "json":     { "field": "message",			               "target_field": "message2",		        "ignore_failure": true} },
    { "rename":   { "field": "message2.opcua_link_id",                 "target_field": "opcua.link_id",                 "ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_activate_session_client_software_cert",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_activate_session_client_software_cert" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.client_software_cert_link_id",	"target_field": "opcua.client_software_cert_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_activate_session_diagnostic_info",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_activate_session_diagnostic_info" } },
    { "remove":   { "field": ["host"],														"ignore_failure": true } },
    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
    { "rename":   { "field": "message2.activate_session_diag_info_link_id",	"target_field": "opcua.activate_session_diag_info_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_activate_session_locale_id",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_activate_session_locale_id" } },
    { "remove":   { "field": ["host"],									"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",		"ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_locale_link_id",	"target_field": "opcua.locale_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_browse",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_browse" } },
    { "remove":   { "field": ["host"],													"ignore_failure": true } },
    { "json":     { "field": "message",						"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_link_id",				"target_field": "opcua.link_id",			"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_browse_description",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_browse_description" } },
    { "remove":   { "field": ["host"],														"ignore_failure": true } },
    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
    { "rename":   { "field": "message2.browse_description_link_id",     	"target_field": "opcua.browse_description_link_id",		"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_browse_diagnostic_info",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_browse_diagnostic_info" } },
    { "remove":   { "field": ["host"],													"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",					"ignore_failure": true } },
    { "rename":   { "field": "message2.browse_diag_info_link_id",	"target_field": "opcua.browse_session_diag_info_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_browse_request_continuation_point",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_browse_request_continuation_point" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.browse_next_link_id",	"target_field": "opcua.browse_next_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_browse_response_references",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_browse_response_references" } },
    { "remove":   { "field": ["host"],													"ignore_failure": true } },
    { "json":     { "field": "message",			                        "target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.browse_reference_link_id",               "target_field": "opcua.link_id",			"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_browse_result",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_browse_result" } },
    { "remove":   { "field": ["host"],											"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.browse_response_link_id",	"target_field": "opcua.response_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_create_session",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_create_session" } },
    { "remove":   { "field": ["host"],                                                                                      "ignore_failure": true } },
    { "json":     { "field": "message",			            "target_field": "message2",		                    "ignore_failure": true} },
    { "rename":   { "field": "message2.opcua_link_id",              "target_field": "opcua.link_id",                        "ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_create_session_discovery",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_create_session_discovery" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.discovery_profile_link_id",	"target_field": "opcua.discovery_profile_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_create_session_endpoints",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_create_session_endpoints" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.endpoint_link_id",	"target_field": "opcua.endpoint_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_create_session_user_token",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_create_session_user_token" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_create_subscription",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_create_subscription" } },
    { "remove":   { "field": ["host"],                                                                                              "ignore_failure": true } },
    { "json":     { "field": "message",			                 "target_field": "message2",		                    "ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_link_id",                   "target_field": "opcua.link_id",                           "ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_diag_info_detail",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_diag_info_detail" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.diag_info_link_id",	"target_field": "opcua.diag_info_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_get_endpoints",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints" } },
    { "remove":   { "field": ["host"],								"ignore_failure": true } },
    { "json":     { "field": "message",			"target_field": "message2",		"ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_link_id",	"target_field": "opcua.link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_get_endpoints_description",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_description" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.endpoint_description_link_id",	"target_field": "opcua.endpoint_description_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_get_endpoints_discovery",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_discovery" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.discovery_profile_link_id",	"target_field": "opcua.discovery_profile_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_get_endpoints_locale_id",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_locale_id" } },
    { "remove":   { "field": ["host"],									"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",		"ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_locale_link_id",	"target_field": "opcua.locale_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_get_endpoints_profile_uri",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_profile_uri" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.profile_uri_link_id",	"target_field": "opcua.profile_uri_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_get_endpoints_user_token",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_user_token" } },
    { "remove":   { "field": ["host"],                                                                                                         "ignore_failure": true } },
    { "json":     { "field": "message",			                 "target_field": "message2",		                               "ignore_failure": true } },
    { "rename":   { "field": "message2.user_token_link_id", 	         "target_field": "opcua.user_token_link_id",		               "ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_opensecure_channel",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_opensecure_channel" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_link_id",			"target_field": "opcua.link_id",			"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_read" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_link_id",		"target_field": "opcua.link_id",		"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_array_dims",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_read_array_dims" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.array_dim_link_id",	"target_field": "opcua.array_dim_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_array_dims_link",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_read_array_dims_link" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.variant_data_array_dim_link_id",	"target_field": "opcua.variant_data_array_dim_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_diagnostic_info",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_read_diagnostic_info" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.read_diag_info_link_id",	"target_field": "opcua.read_diag_info_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_extension_object",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_read_extension_object" } },
    { "remove":   { "field": ["host"],													"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",					"ignore_failure": true } },
    { "rename":   { "field": "message2.ext_obj_link_id",		"target_field": "opcua.ext_obj_link_id",			"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_extension_object_link",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_read_extension_object_link" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.variant_data_ext_obj_link_id",	"target_field": "opcua.variant_data_ext_obj_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_nodes_to_read",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_read_nodes_to_read" } },
    { "remove":   { "field": ["host"],											"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.nodes_to_read_link_id",	"target_field": "opcua.nodes_to_read_link_id",		"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_results",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_read_results" } },
    { "remove":   { "field": ["host"],														"ignore_failure": true } },
    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
    { "rename":   { "field": "message2.results_link_id",			"target_field": "opcua.results_link_id",			"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_results_link",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_read_results_link" } },
    { "remove":   { "field": ["host"],														"ignore_failure": true } },
    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
    { "rename":   { "field": "message2.read_results_link_id",			"target_field": "opcua.read_results_link_id",			"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_status_code",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_read_status_code" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.read_status_code_link_id",	"target_field": "opcua.read_status_code_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_variant_data",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_read_variant_data" } },
    { "remove":   { "field": ["host"],														"ignore_failure": true } },
    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
    { "rename":   { "field": "message2.read_variant_data_link_id",		"target_field": "opcua.read_variant_data_link_id",		"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_variant_data_link",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_read_variant_data_link" } },
    { "remove":   { "field": ["host"],														"ignore_failure": true } },
    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
    { "rename":   { "field": "message2.read_results_variant_data_link_id",	"target_field": "opcua.read_results_variant_data_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_status_code_detail",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "opcua_binary_status_code_detail" } },
    { "remove":   { "field": ["host"],                                                                                              "ignore_failure": true } },
    { "json":     { "field": "message",			             "target_field": "message2",		                    "ignore_failure": true } },
    { "rename":   { "field": "message2.status_code", 	             "target_field": "opcua.status_code",	                    "ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.pe
+++ b/salt/elasticsearch/files/ingest/zeek.pe
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.pe",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "pe" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.id", 	 	"target_field": "log.id.fuid",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.profinet
+++ b/salt/elasticsearch/files/ingest/zeek.profinet
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.profinet",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "profinet" } },
    { "remove":   { "field": ["host"],                                                                                          "ignore_failure": true } },
    { "json":     { "field": "message",			             "target_field": "message2",		                "ignore_failure": true} },
    { "rename":   { "field": "message2.operation_type",               "target_field": "profinet.operation_type",                           "ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc
+++ b/salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.profinet_dce_rpc",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "profinet_dce_rpc" } },
    { "remove":   { "field": ["host"],                                                                                          "ignore_failure": true } },
    { "json":     { "field": "message",			             "target_field": "message2",		                "ignore_failure": true} },
    { "rename":   { "field": "message2.version",               "target_field": "profinet.version",                           "ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.radius
+++ b/salt/elasticsearch/files/ingest/zeek.radius
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.radius",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "radius" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.username", 	"target_field": "user.name",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.rdp
+++ b/salt/elasticsearch/files/ingest/zeek.rdp
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.rdp",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "rdp" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.cookie", 		"target_field": "rdp.cookie",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.rfb
+++ b/salt/elasticsearch/files/ingest/zeek.rfb
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.rfb",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "rfb" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.client_major_version",	"target_field": "rfb.client_major_version",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.s7comm
+++ b/salt/elasticsearch/files/ingest/zeek.s7comm
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.s7comm",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "s7comm" } },
    { "remove":   { "field": ["host"],								"ignore_failure": true } },
    { "json":     { "field": "message",			"target_field": "message2",		"ignore_failure": true } },
    { "rename":   { "field": "message2.rosctr_code",	"target_field": "s7.ros.control.code",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.s7comm_plus
+++ b/salt/elasticsearch/files/ingest/zeek.s7comm_plus
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.s7comm_plus",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "s7comm_plus" } },
    { "remove":   { "field": ["host"],								"ignore_failure": true } },
    { "json":     { "field": "message",			"target_field": "message2",		"ignore_failure": true } },
    { "rename":   { "field": "message2.version",	"target_field": "s7.version",		"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl
+++ b/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.s7comm_read_szl",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "s7comm_read_szl" } },
    { "remove":   { "field": ["host"],									"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",		"ignore_failure": true } },
    { "rename":   { "field": "message2.pdu_reference",		"target_field": "s7.pdu_reference",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.s7comm_upload_download
+++ b/salt/elasticsearch/files/ingest/zeek.s7comm_upload_download
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.s7comm_upload_download",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "s7comm_upload_download" } },
    { "remove":   { "field": ["host"],									"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",		"ignore_failure": true } },
    { "rename":   { "field": "message2.rosctr",                 "target_field": "s7.ros.control.name",  "ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.signatures
+++ b/salt/elasticsearch/files/ingest/zeek.signatures
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.signatures",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "signatures" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.note", 		"target_field": "note",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.sip
+++ b/salt/elasticsearch/files/ingest/zeek.sip
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.sip",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "sip" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.trans_depth", 	"target_field": "sip.transaction.depth",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.smb_files
+++ b/salt/elasticsearch/files/ingest/zeek.smb_files
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.smb_files",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "smb_files" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.fuid", 		"target_field": "log.id.fuid",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.smb_mapping
+++ b/salt/elasticsearch/files/ingest/zeek.smb_mapping
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.smb_mapping",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "smb_mapping" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.path", 		"target_field": "smb.path",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.smtp
+++ b/salt/elasticsearch/files/ingest/zeek.smtp
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.smtp",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "smtp" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "remove":		{ "field": "path",			"ignore_failure": true						} },
--- a/salt/elasticsearch/files/ingest/zeek.snmp
+++ b/salt/elasticsearch/files/ingest/zeek.snmp
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.snmp",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "snmp" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.duration",		"target_field": "event.duration",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.socks
+++ b/salt/elasticsearch/files/ingest/zeek.socks
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.socks",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "socks" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.version", 		"target_field": "socks.version",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.software
+++ b/salt/elasticsearch/files/ingest/zeek.software
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.software",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "software" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "dot_expander": 	{ "field": "version.major", 		"path": "message2", 			"ignore_failure": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ssh
+++ b/salt/elasticsearch/files/ingest/zeek.ssh
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ssh",
  "processors" : [
+    { "set": { "field": "event.dataset", "value": "ssh" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",				"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.version", 			"target_field": "ssh.version",			"ignore_missing": true 	} },
--- a/Show More
+++ b/Show More