Additional field renames and updates

salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext

@@ -7,7 +7,7 @@
     { "rename": 	{ "field": "message2.seq",	"target_field": "bsap.message.sequence",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.nsb",	"target_field": "bsap.node.status.byte",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.extfun",	"target_field": "bsap.extension.function",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.data",	"target_field": "bsap.extension.function.data",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.data",	"target_field": "bsap.extension.function_data",	"ignore_missing": true 	} },
     { "pipeline":       { "name": "zeek.common" } }
   ]
 }

salt/elasticsearch/files/ingest/zeek.cip

@@ -3,7 +3,7 @@
   "processors" : [
     { "remove":         { "field": ["host"],											"ignore_failure": true	} },
     { "json":		{ "field": "message",				"target_field": "message2",				"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.is_orig",			"target_field": "cip.is_orig",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.is_orig",			"target_field": "cip.is_orig",			        "ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.cip_sequence_count",	"target_field": "cip.sequence_count",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.direction",		"target_field": "cip.direction",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.cip_service_code",		"target_field": "cip.service_code",			"ignore_missing": true 	} },

salt/elasticsearch/files/ingest/zeek.cip_io

@@ -5,7 +5,7 @@
     { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
     { "rename": 	{ "field": "message2.is_orig",		"target_field": "cip.is_orig",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.connection_id",	"target_field": "cip.connection.id",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.sequence_number",	"target_field": "cip.sequence.count",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.sequence_number",	"target_field": "cip.sequence_number",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.data_length",	"target_field": "cip.data.length",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.io_data",		"target_field": "cip.io.data",		"ignore_missing": true 	} },
     { "pipeline":       { "name": "zeek.common"	} }

salt/elasticsearch/files/ingest/zeek.ecat_foe_info

@@ -6,9 +6,9 @@
     { "rename": 	{ "field": "message2.opcode", 		"target_field": "ecat.operation.code",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.reserved", 	"target_field": "ecat.reserved",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.packet_num", 		"target_field": "ecat.packet.number",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.error_code", 	"target_field": "ecat.error.code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.error_code", 	"target_field": "ecat.error_code",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.filename", 		"target_field": "ecat.filename",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.data", 		"target_field": "ecat.data",		"ignore_missing": true 	} },
     { "pipeline":       { "name": "zeek.common"                                                                                   } }
   ]
-}
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary

@@ -8,7 +8,7 @@
     { "rename":   { "field": "message2.msg_size",			"target_field": "opcua.message_size",			"ignore_missing": true } },
     { "rename":   { "field": "message2.snd_buf_size",			"target_field": "opcua.sender.buffer_size",		"ignore_missing": true } },
     { "rename":   { "field": "message2.seq_number",			"target_field": "opcua.sequence_number",		"ignore_missing": true } },
-    { "rename":   { "field": "message2.sec_channel_id",			"target_field": "opcua.secure_channel.id",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.sec_channel_id",			"target_field": "opcua.secure_channel_id",		"ignore_missing": true } },
     { "rename":   { "field": "message2.seq_number",			"target_field": "opcua.sequence_number",		"ignore_missing": true } },
     { "rename":   { "field": "message2.opcua_link_id",			"target_field": "opcua.link_id",			"ignore_missing": true } },
     { "rename":   { "field": "message2.request_id",			"target_field": "opcua.request_id",			"ignore_missing": true } },

salt/elasticsearch/files/ingest/zeek.opcua_binary_browse

@@ -9,8 +9,8 @@
     { "convert":  { "field": "opcua.encoding_mask",                             "type": "string",
          "ignore_missing": true } },
     { "rename":   { "field": "message2.browse_view_id_numeric",			"target_field": "opcua.identifier_numeric",		"ignore_missing": true } },
-    { "rename":   { "field": "message2.browse_view_description_timestamp",	"target_field": "opcua.view.description_timestamp",	"ignore_missing": true } },
-    { "rename":   { "field": "message2.browse_view_description_view_version",	"target_field": "opcua.description.view_version",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_view_description_timestamp",	"target_field": "opcua.view_description_timestamp",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_view_description_view_version",	"target_field": "opcua.description_view_version",	"ignore_missing": true } },
     { "rename":   { "field": "message2.browse_description_link_id",		"target_field": "opcua.description_link_id",		"ignore_missing": true } },
     { "rename":   { "field": "message2.req_max_ref_nodes",			"target_field": "opcua.request.max_ref_nodes",		"ignore_missing": true } },  
     { "pipeline": { "name": "zeek.common" } }

salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description

@@ -8,7 +8,7 @@
     { "rename":   { "field": "message2.browse_description_numeric",           	"target_field": "opcua.browse_description_numeric",		"ignore_missing": true } },
     { "rename":   { "field": "message2.browse_direction",                     	"target_field": "opcua.browse_direction",			"ignore_missing": true } },
     { "rename":   { "field": "message2.browse_description_ref_encoding_mask", 	"target_field": "opcua.browse_description_ref_encoding_mask",	"ignore_missing": true } },
-    { "rename":   { "field": "message2.browse_description_ref_numeric",       	"target_field": "opcua.browse_description.ref_numeric",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_description_ref_numeric",       	"target_field": "opcua.browse_description_ref_numeric",		"ignore_missing": true } },
     { "rename":   { "field": "message2.browse_description_include_subtypes",  	"target_field": "opcua.browse_description_include_subtypes",	"ignore_missing": true } },  
     { "rename":   { "field": "message2.browse_node_class_mask",               	"target_field": "opcua.browse_node_class_mask",			"ignore_missing": true } },
     { "rename":   { "field": "message2.browse_result_mask",                   	"target_field": "opcua.browse_result_mask",			"ignore_missing": true } },

salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session

@@ -4,12 +4,12 @@
     { "remove":   { "field": ["host"],                                                                                      "ignore_failure": true } },
     { "json":     { "field": "message",			            "target_field": "message2",		                    "ignore_failure": true} },
     { "rename":   { "field": "message2.opcua_link_id",              "target_field": "opcua.link_id",                        "ignore_missing": true } },
-    { "rename":   { "field": "message2.session_id_encoding_mask",   "target_field": "opcua.session_id.encoding_mask",       "ignore_missing": true } },
-    { "rename":   { "field": "message2.session_id_namespace_idx",   "target_field": "opcua.session_id.namespace_index",     "ignore_missing": true } },
-    { "rename":   { "field": "message2.session_id_guid",            "target_field": "opcua.session_id.guid",                "ignore_missing": true } },
-    { "rename":   { "field": "message2.auth_token_encoding_mask",   "target_field": "opcua.auth_token.encoding_mask",       "ignore_missing": true } },
-    { "rename":   { "field": "message2.auth_token_namespace_idx",   "target_field": "opcua.auth_token.namespace_index",     "ignore_missing": true } },
-    { "rename":   { "field": "message2.auth_token_guid",            "target_field": "opcua.auth_token.guid",                "ignore_missing": true } },
+    { "rename":   { "field": "message2.session_id_encoding_mask",   "target_field": "opcua.session_id_encoding_mask",       "ignore_missing": true } },
+    { "rename":   { "field": "message2.session_id_namespace_idx",   "target_field": "opcua.session_id_namespace_index",     "ignore_missing": true } },
+    { "rename":   { "field": "message2.session_id_guid",            "target_field": "opcua.session_id_guid",                "ignore_missing": true } },
+    { "rename":   { "field": "message2.auth_token_encoding_mask",   "target_field": "opcua.auth_token_encoding_mask",       "ignore_missing": true } },
+    { "rename":   { "field": "message2.auth_token_namespace_idx",   "target_field": "opcua.auth_token_namespace_index",     "ignore_missing": true } },
+    { "rename":   { "field": "message2.auth_token_guid",            "target_field": "opcua.auth_token_guid",                "ignore_missing": true } },
     { "rename":   { "field": "message2.revised_session_timeout",    "target_field": "opcua.revised_session_timeout",        "ignore_missing": true } },
     { "rename":   { "field": "message2.server_nonce",               "target_field": "opcua.server_nonce",                   "ignore_missing": true } },
     { "rename":   { "field": "message2.endpoint_link_id",           "target_field": "opcua.endpoint_link_id",               "ignore_missing": true } },

salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token

@@ -4,8 +4,8 @@
     { "remove":   { "field": ["host"],										"ignore_failure": true } },
     { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
     { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token_link_id",	"ignore_missing": true } },
-    { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token.policy_id",	"ignore_missing": true } },
-    { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token.type",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token_policy_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token_type",	"ignore_missing": true } },
     { "pipeline": { "name": "zeek.common" } }
   ]
 }

salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token

@@ -4,8 +4,8 @@
     { "remove":   { "field": ["host"],                                                                                                         "ignore_failure": true } },
     { "json":     { "field": "message",			                 "target_field": "message2",		                               "ignore_failure": true } },
     { "rename":   { "field": "message2.user_token_link_id", 	         "target_field": "opcua.user_token_link_id",		               "ignore_missing": true } },
-    { "rename":   { "field": "message2.user_token_type",                 "target_field": "opcua.user_token.type",                              "ignore_missing": true } },
-    { "rename":   { "field": "message2.user_token_sec_policy_uri",       "target_field": "opcua.user_token.security_policy_uri",               "ignore_missing": true } },
+    { "rename":   { "field": "message2.user_token_type",                 "target_field": "opcua.user_token_type",                              "ignore_missing": true } },
+    { "rename":   { "field": "message2.user_token_sec_policy_uri",       "target_field": "opcua.user_token_security_policy_uri",               "ignore_missing": true } },
     { "pipeline": { "name": "zeek.common" } }
   ]
 }