From 08486e279c119602626cb65909d38ec967df5c1a Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 19 Jan 2024 13:36:43 -0500
Subject: [PATCH 1/2] Update suricata.common

---
 salt/elasticsearch/files/ingest/suricata.common | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common
index 8143882c7..d6f4c5c94 100644
--- a/salt/elasticsearch/files/ingest/suricata.common
+++ b/salt/elasticsearch/files/ingest/suricata.common
@@ -4,6 +4,7 @@
     { "json":   { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
     { "rename": { "field": "message2.pkt_src",          "target_field": "network.packet_source","ignore_failure": true  } },
     { "rename": { "field": "message2.proto",            "target_field": "network.transport",    "ignore_failure": true  } },
+    { "lowercase": { "field": "network.transport",      "ignore_failure": true  } },
     { "rename": { "field": "message2.in_iface",         "target_field": "observer.ingress.interface.name",    "ignore_failure": true  } },
     { "rename": { "field": "message2.flow_id",          "target_field": "log.id.uid",           "ignore_failure": true  } },
     { "rename": { "field": "message2.src_ip",           "target_field": "source.ip",            "ignore_failure": true  } },

From efe8cfda953c8501c70edceac6a186613bb52b17 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 19 Jan 2024 13:39:28 -0500
Subject: [PATCH 2/2] Update suricata.common

---
 salt/elasticsearch/files/ingest/suricata.common | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common
index d6f4c5c94..6aec40a2b 100644
--- a/salt/elasticsearch/files/ingest/suricata.common
+++ b/salt/elasticsearch/files/ingest/suricata.common
@@ -4,7 +4,6 @@
     { "json":   { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
     { "rename": { "field": "message2.pkt_src",          "target_field": "network.packet_source","ignore_failure": true  } },
     { "rename": { "field": "message2.proto",            "target_field": "network.transport",    "ignore_failure": true  } },
-    { "lowercase": { "field": "network.transport",      "ignore_failure": true  } },
     { "rename": { "field": "message2.in_iface",         "target_field": "observer.ingress.interface.name",    "ignore_failure": true  } },
     { "rename": { "field": "message2.flow_id",          "target_field": "log.id.uid",           "ignore_failure": true  } },
     { "rename": { "field": "message2.src_ip",           "target_field": "source.ip",            "ignore_failure": true  } },
@@ -14,6 +13,7 @@
     { "rename": { "field": "message2.vlan",             "target_field": "network.vlan.id",      "ignore_failure": true  } },
     { "rename": { "field": "message2.community_id",     "target_field": "network.community_id", "ignore_missing": true  } },
     { "rename": { "field": "message2.xff",              "target_field": "xff.ip",               "ignore_missing": true  } },
+    { "lowercase": { "field": "network.transport",      "ignore_failure": true  } },
     { "set":    { "field": "event.dataset",             "value": "{{ message2.event_type }}"                            } },
     { "set":    { "field": "observer.name",             "value": "{{agent.name}}"                                       } },
     { "set":    { "field": "event.ingested",            "value": "{{@timestamp}}"                                       } },