From a79d0319cd5ca05472b19748010c109d5013ba00 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 1 Sep 2020 13:47:27 -0400
Subject: [PATCH] Initial support for evtx import

---
 salt/elasticsearch/files/ingest/import.wel | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 salt/elasticsearch/files/ingest/import.wel

diff --git a/salt/elasticsearch/files/ingest/import.wel b/salt/elasticsearch/files/ingest/import.wel
new file mode 100644
index 000000000..64add2f44
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/import.wel
@@ -0,0 +1,9 @@
+{
+  "description" : "import.wel",
+  "processors" : [
+    { "remove":         { "field": ["event.created","timestamp", "winlog.event_data.UtcTime"],     "ignore_failure": true                                               } },
+    { "pipeline":      { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'",   "name": "sysmon"  }  },
+    { "pipeline":      { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'",  "name":"win.eventlogs" }  },
+    { "pipeline":    { "name": "common" } }
+  ]
+}
\ No newline at end of file