From c3b2d98ffb383bfdaf4be51e2ce2bf34229fc59c Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Thu, 10 Sep 2020 06:15:30 -0400
Subject: [PATCH] Add event.category to WEL

---
 salt/elasticsearch/files/ingest/import.wel    | 2 +-
 salt/elasticsearch/files/ingest/win.eventlogs | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/salt/elasticsearch/files/ingest/import.wel b/salt/elasticsearch/files/ingest/import.wel
index 64add2f44..5a04324b7 100644
--- a/salt/elasticsearch/files/ingest/import.wel
+++ b/salt/elasticsearch/files/ingest/import.wel
@@ -1,7 +1,7 @@
 {
   "description" : "import.wel",
   "processors" : [
-    { "remove":         { "field": ["event.created","timestamp", "winlog.event_data.UtcTime"],     "ignore_failure": true                                               } },
+    { "remove":         { "field": ["event.created","timestamp", "winlog.event_data.UtcTime", "event_record_id"],     "ignore_failure": true                                               } },
     { "pipeline":      { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'",   "name": "sysmon"  }  },
     { "pipeline":      { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'",  "name":"win.eventlogs" }  },
     { "pipeline":    { "name": "common" } }
diff --git a/salt/elasticsearch/files/ingest/win.eventlogs b/salt/elasticsearch/files/ingest/win.eventlogs
index 7bd6e9a5a..f7f9d6bac 100644
--- a/salt/elasticsearch/files/ingest/win.eventlogs
+++ b/salt/elasticsearch/files/ingest/win.eventlogs
@@ -4,7 +4,8 @@
     { "set":           { "if": "ctx.winlog?.channel != null",   "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true }  },
     { "set":           { "if": "ctx.winlog?.channel != null",   "field": "event.dataset", "value": "{{winlog.channel}}", "override": true }  },
     { "set":           { "if": "ctx.winlog?.computer_name != null",   "field": "observer.name", "value": "{{winlog.computer_name}}", "override": true }  },
-    { "set":           { "field": "event.code", "value": "{{winlog.event_id}}", "override": true }  },     
+    { "set":           { "field": "event.code", "value": "{{winlog.event_id}}", "override": true }  },  
+    { "set":           { "field": "event.category", "value": "host", "override": true }  },   
     { "rename": 	   { "field": "winlog.event_data.SubjectUserName", 			  "target_field": "user.name",		"ignore_missing": true 	} },
     { "rename": 	   { "field": "winlog.event_data.User", 			            "target_field": "user.name",		"ignore_missing": true 	} }
   ]