From 6ddf887342834f9871edc91f34cbbad418e9050d Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Wed, 21 Jun 2023 09:32:42 -0400
Subject: [PATCH] Refactor EVTX Import

---
 .../integrations/grid-nodes/import-evtx-logs.json     | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json
index d585c587b..5bebfd54d 100644
--- a/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json
@@ -7,6 +7,7 @@
   "namespace": "so",
   "description": "Import Windows EVTX logs",
   "policy_id": "so-grid-nodes",
+  "vars": {},
   "inputs": {
     "logs-logfile": {
       "enabled": true,
@@ -15,12 +16,14 @@
           "enabled": true,
           "vars": {
             "paths": [
-              "/nsm/import/*/evtx/data.json"
+              "/nsm/import/*/evtx/*.json"
             ],
             "data_stream.dataset": "import",
-            "tags": [],
-            "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n- add_fields:\n    target: event\n    fields:\n      module: windows_eventlog\n      imported: true",
-            "custom": "pipeline: import.wel"
+            "custom": "",
+            "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n- drop_fields:\n    fields: [\"host\"]\n    ignore_missing: true\n- add_fields:\n    target: data_stream\n    fields:\n      namespace: default\n      type: logs\n      dataset: system.security\n- add_fields:\n    target: event\n    fields:\n      dataset: system.security\n      module: system\n      imported: true  \n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.sysmon_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.sysmon_operational\n          module: windows\n          imported: true\n- if:\n    equals:\n      winlog.channel: 'Application'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.application\n- if:\n    equals:\n      winlog.channel: 'System'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.system\n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.powershell_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.powershell_operational\n          module: windows",
+            "tags": [
+              "import"
+            ]
           }
         }
       }