From d56bf0182334c79161ad9cb809e8f92cc73b22c9 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 13 May 2026 12:32:54 -0500 Subject: [PATCH] add zeek.ja4d ingest pipeline --- salt/elasticsearch/files/ingest/zeek.ja4d | 71 +++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/zeek.ja4d diff --git a/salt/elasticsearch/files/ingest/zeek.ja4d b/salt/elasticsearch/files/ingest/zeek.ja4d new file mode 100644 index 000000000..206622c49 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ja4d @@ -0,0 +1,71 @@ +{ + "description": "zeek.ja4d", + "processors": [ + { + "set": { + "field": "event.dataset", + "value": "ja4d" + } + }, + { + "remove": { + "field": [ + "host" + ], + "ignore_failure": true + } + }, + { + "json": { + "field": "message", + "target_field": "message2", + "ignore_failure": true + } + }, + { + "rename": { + "field": "message2.ja4d", + "target_field": "hash.ja4d", + "ignore_missing": true, + "if": "ctx?.message2?.ja4d != null && ctx.message2.ja4d.length() > 0" + } + }, + { + "rename": { + "field": "message2.client_mac", + "target_field": "host.mac", + "ignore_missing": true, + "if": "ctx?.message2?.client_mac != null && ctx.message2.client_mac.length() > 0" + } + }, + { + "rename": { + "field": "message2.hostname", + "target_field": "host.hostname", + "ignore_missing": true, + "if": "ctx?.message2?.hostname != null && ctx.message2.hostname.length() > 0" + } + }, + { + "rename": { + "field": "message2.requested_ip", + "target_field": "dhcp.requested_address", + "ignore_missing": true, + "if": "ctx?.message2?.requested_ip != null && ctx.message2.requested_ip.length() > 0" + } + }, + { + "rename": { + "field": "message2.vendor_class_id", + "target_field": "zeek.ja4d.vendor_class_id", + "ignore_missing": true, + "if": "ctx?.message2?.vendor_class_id != null && ctx.message2.vendor_class_id.length() > 0" + } + }, + { + "pipeline": { + "name": "zeek.common" + } + } + ] +} \ No newline at end of file