Fix Wazuh WEL Parsing

2025-12-06 09:12:45 +01:00 · 2022-01-10 13:55:38 -05:00
parent 43eda0c5a3
commit 56aa24d874
1 changed files with 6 additions and 0 deletions
--- a/salt/elasticsearch/files/ingest/ossec
+++ b/salt/elasticsearch/files/ingest/ossec
@@ -39,6 +39,12 @@
    { "rename":         { "field": "decoder.name",                   "target_field": "event.dataset",         "ignore_missing": true  } },
    { "rename":         { "field": "rule.description",                   "target_field": "rule.name",         "ignore_missing": true  } },
    { "rename":         { "field": "rule.id",                            "target_field": "rule.uuid",         "ignore_missing": true  } },
+    { "script": {
+        "if": "ctx.winlog?.event_data != null", 
+        "lang": "painless", 
+        "source": "Map eventData = ctx['winlog']['event_data']; Map updatedEventData = new HashMap(); for (String key: eventData.keySet()) { updatedEventData[key.substring(0,1).toUpperCase() + key.substring(1)] = eventData[key] } ctx['winlog']['event_data'] = updatedEventData"
+            }
+          },
    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 1",          "field": "rule.category", "value": "None"                               } },
    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 2",          "field": "rule.category", "value": "System low priority notification"   } },
    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 3",          "field": "rule.category", "value": "Successful/authorized event"        } },