From 6359e03ba6ee8c1203d718505f664eb410efcc2d Mon Sep 17 00:00:00 2001 From: jtgreen-cse <67059096+jtgreen-cse@users.noreply.github.com> Date: Thu, 29 Oct 2020 15:03:13 -0400 Subject: [PATCH] fix for Windows events via osquery This change was required to properly let Windows events flow through their specific pipelines. Otherwise, the `temp` field stays around and gets ingested in ES. --- salt/elasticsearch/files/ingest/osquery.query_result | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/files/ingest/osquery.query_result b/salt/elasticsearch/files/ingest/osquery.query_result index 3a6ed15a3..67a0b39f8 100644 --- a/salt/elasticsearch/files/ingest/osquery.query_result +++ b/salt/elasticsearch/files/ingest/osquery.query_result @@ -6,7 +6,7 @@ { "gsub": { "field": "message2.columns.data", "pattern": "\\\\xC2\\\\xAE", "replacement": "", "ignore_missing": true } }, { "rename": { "if": "ctx.message2.columns?.eventid != null", "field": "message2.columns", "target_field": "winlog", "ignore_missing": true } }, { "json": { "field": "winlog.data", "target_field": "temp", "ignore_failure": true } }, - { "rename": { "field": "temp.Data", "target_field": "winlog.event_data", "ignore_missing": true } }, + { "rename": { "field": "temp.EventData", "target_field": "winlog.event_data", "ignore_missing": true } }, { "rename": { "field": "winlog.source", "target_field": "winlog.channel", "ignore_missing": true } }, { "rename": { "field": "winlog.eventid", "target_field": "winlog.event_id", "ignore_missing": true } }, { "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } }, @@ -22,4 +22,4 @@ { "set": { "field": "event.dataset", "value": "{{osquery.result.name}}", "override": false} }, { "pipeline": { "name": "common" } } ] -} \ No newline at end of file +}