Merge pull request #9241 from Security-Onion-Solutions/fix/ics_pipelines_field_renames

ICS Pipelines - Various Field Renames

salt/elasticsearch/files/ingest/zeek.bacnet

@@ -3,7 +3,7 @@
   "processors" : [
     { "remove":         { "field": ["host"],								"ignore_failure": true	} },
     { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.is_orig",		"target_field": "bacnet.is.originator",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.is_orig",		"target_field": "bacnet.is_orig",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.bvlc_function",	"target_field": "bacnet.bclv.function",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.pdu_type",		"target_field": "bacnet.pdu.type",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.pdu_service",	"target_field": "bacnet.pdu.service",	"ignore_missing": true 	} },

salt/elasticsearch/files/ingest/zeek.bacnet_discovery

@@ -3,7 +3,7 @@
   "processors" : [
     { "remove":         { "field": ["host"],									"ignore_failure": true	} },
     { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
-    { "rename":         { "field": "message2.is_orig",		"target_field": "bacnet.is.originator",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.is_orig",		"target_field": "bacnet.is_orig",		"ignore_missing": true  } },
     { "rename":         { "field": "message2.pdu_service",	"target_field": "bacnet.pdu.service",		"ignore_missing": true  } },
     { "rename":         { "field": "message2.object_type",	"target_field": "bacnet.object.type",		"ignore_missing": true  } },
     { "rename":         { "field": "message2.instance_number",	"target_field": "bacnet.instance.number",	"ignore_missing": true  } },

salt/elasticsearch/files/ingest/zeek.bacnet_property

@@ -3,7 +3,7 @@
   "processors" : [
     { "remove":         { "field": ["host"],									"ignore_failure": true	} },
     { "json":           { "field": "message",			"target_field": "message2",			"ignore_failure": true  } },
-    { "rename":         { "field": "message2.is_orig",          "target_field": "bacnet.is.originator",         "ignore_missing": true  } },
+    { "rename":         { "field": "message2.is_orig",          "target_field": "bacnet.is_orig",         "ignore_missing": true  } },
     { "rename":         { "field": "message2.instance_number",	"target_field": "bacnet.instance.number",	"ignore_missing": true  } },
     { "rename":         { "field": "message2.pdu_service",	"target_field": "bacnet.pdu.service",		"ignore_missing": true  } },
     { "rename":         { "field": "message2.object_type",	"target_field": "bacnet.object.type",		"ignore_missing": true  } },

salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb

@@ -10,7 +10,7 @@
     { "rename": 	{ "field": "message2.sequence",		"target_field": "bsap.function.sequence",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.app_func_code",	"target_field": "bsap.application.function",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.node_status",	"target_field": "bsap.node.status",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.func_code",	"target_field": "bsap.application.sub.function",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.func_code",	"target_field": "bsap.application.sub_function",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.variable_count",	"target_field": "bsap.variable.count",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.variables",	"target_field": "bsap.vector.variables",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.variable_value",	"target_field": "bsap.vector.variable.value",		"ignore_missing": true 	} },

salt/elasticsearch/files/ingest/zeek.bsap_serial_header

@@ -3,7 +3,7 @@
   "processors" : [
     { "remove":         { "field": ["host"],									"ignore_failure": true	} },
     { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.ser",		"target_field": "bsap.message.serial.number",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ser",		"target_field": "bsap.message.serial_number",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.dadd",		"target_field": "bsap.destination.address",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.sadd",		"target_field": "bsap.source.address",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.ctl",		"target_field": "bsap.control.byte",		"ignore_missing": true 	} },

salt/elasticsearch/files/ingest/zeek.cip

@@ -3,7 +3,7 @@
   "processors" : [
     { "remove":         { "field": ["host"],											"ignore_failure": true	} },
     { "json":		{ "field": "message",				"target_field": "message2",				"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.is_orig",			"target_field": "cip.is.origin",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.is_orig",			"target_field": "cip.is_orig",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.cip_sequence_count",	"target_field": "cip.sequence_count",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.direction",		"target_field": "cip.direction",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.cip_service_code",		"target_field": "cip.service_code",			"ignore_missing": true 	} },

salt/elasticsearch/files/ingest/zeek.cip_identity

@@ -13,7 +13,7 @@
     { "rename": 	{ "field": "message2.product_code",		"target_field": "cip.device.product.code",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.revision",			"target_field": "cip.device.revision",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.device_status",		"target_field": "cip.device.status",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.serial_number",		"target_field": "cip.device.serial.number",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.serial_number",		"target_field": "cip.device.serial_number",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.product_name",		"target_field": "cip.device.product.name",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.device_state",		"target_field": "cip.device.state",		"ignore_missing": true 	} },
     { "pipeline":       { "name": "zeek.common" } }

salt/elasticsearch/files/ingest/zeek.cip_io

@@ -3,7 +3,7 @@
   "processors" : [
     { "remove":         { "field": ["host"],								"ignore_failure": true	} },
     { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.is_orig",		"target_field": "cip.is.origin",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.is_orig",		"target_field": "cip.is_orig",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.connection_id",	"target_field": "cip.connection.id",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.sequence_number",	"target_field": "cip.sequence.count",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.data_length",	"target_field": "cip.data.length",	"ignore_missing": true 	} },

salt/elasticsearch/files/ingest/zeek.ecat_coe_info

@@ -5,7 +5,7 @@
     { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
     { "rename": 	{ "field": "message2.number", 		"target_field": "ecat.message.number",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.Type", 	"target_field": "ecat.message.type",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.req_resp", 		"target_field": "ecat.request.response.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.req_resp", 		"target_field": "ecat.request.response_type",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.index", 	"target_field": "ecat.index",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.subindex", 		"target_field": "ecat.sub.index",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.dataoffset", 	"target_field": "ecat.data_offset",		"ignore_missing": true 	} },

salt/elasticsearch/files/ingest/zeek.ecat_dev_info

@@ -7,8 +7,8 @@
     { "rename": 	{ "field": "message2.revision", 	"target_field": "ecat.revision",		  "ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.dev_type",         "target_field": "ecat.device.type",		  "ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.build", 	        "target_field": "ecat.build.version",		  "ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fmmucnt", 		"target_field": "ecat.fieldbus.mem.mgmt.unit",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fmmucnt", 		"target_field": "ecat.fieldbus.memory_mgmt_unit", "ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.smcount", 	"target_field": "ecat.sync.manager.count",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smcount", 	        "target_field": "ecat.sync.manager_count",	  "ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.ports", 		"target_field": "ecat.port",		          "ignore_missing": true 	} },
     { "convert":        { "field": "ecat.port",                 "type": "integer",                                "ignore_missing": true  } },
     { "rename": 	{ "field": "message2.dpram", 	        "target_field": "ecat.ram.size",		  "ignore_missing": true 	} },

salt/elasticsearch/files/ingest/zeek.enip

@@ -3,7 +3,7 @@
   "processors" : [
     { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
     { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.is_orig", 		"target_field": "enip.is.origin",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.is_orig", 		"target_field": "enip.is_orig",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.enip_command_code", 	"target_field": "enip.command_code",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.enip_command", 		"target_field": "enip.command",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.length", 	"target_field": "enip.length",		"ignore_missing": true 	} },

salt/elasticsearch/files/ingest/zeek.modbus_detailed

@@ -3,7 +3,7 @@
   "processors" : [
     { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
     { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.unit_id", 		"target_field": "modbus.unit.id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.unit_id", 		"target_field": "modbus.unit_id",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.func", 		"target_field": "modbus.function",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.network_direction", "target_field": "modbus.network.direction",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.address",	        "target_field": "modbus.address",		"ignore_missing": true 	} },

salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register

@@ -3,12 +3,12 @@
   "processors" : [
     { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
     { "json":		{ "field": "message",			 "target_field": "message2",		        "ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.unit_id", 		"target_field": "modbus.unit.id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.unit_id", 		 "target_field": "modbus.unit_id",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.func", 		 "target_field": "modbus.function",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.network_direction", "target_field": "modbus.network.direction",    "ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.address",	         "target_field": "modbus.address",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.and_mask",	        "target_field": "modbus.and.mask",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.and_mask",	         "target_field": "modbus.and_mask",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.or_mask", 	        "target_field": "modbus.or.maks",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.or_mask", 	         "target_field": "modbus.or_mask",		"ignore_missing": true 	} },
     { "pipeline":       { "name": "zeek.common"                                                                                   } }
   ]
 }

salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers

@@ -3,7 +3,7 @@
   "processors" : [
     { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
     { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.unit_id", 		"target_field": "modbus.unit.id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.unit_id", 		"target_field": "modbus.unit_id",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.func", 		"target_field": "modbus.function",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.network_direction", "target_field": "modbus.network.direction",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.write_start_address",	"target_field": "modbus.write.start.address",		"ignore_missing": true 	} },

salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert

@@ -3,7 +3,7 @@
   "processors" : [
     { "remove":   { "field": ["host"],												"ignore_failure": true } },
     { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
-    { "rename":   { "field": "message2.client_software_cert_link_id",	"target_field": "opcua.client_software_cert.link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.client_software_cert_link_id",	"target_field": "opcua.client_software_cert_link_id",	"ignore_missing": true } },
     { "rename":   { "field": "message2.cert_data", 			"target_field": "opcua.certificate.data",		"ignore_missing": true } },
     { "rename":   { "field": "message2.cert_signature",			"target_field": "opcua.certificate.signature",		"ignore_missing": true } },
     { "pipeline": { "name": "zeek.common" } }

salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info

@@ -3,8 +3,8 @@
   "processors" : [
     { "remove":   { "field": ["host"],														"ignore_failure": true } },
     { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
-    { "rename":   { "field": "message2.activate_session_diag_info_link_id",	"target_field": "opcua.activate_session_diag_info.link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.activate_session_diag_info_link_id",	"target_field": "opcua.activate_session_diag_info_link_id",	"ignore_missing": true } },
-    { "rename":   { "field": "message2.diag_info_link_id",			"target_field": "opcua.diag_info.link_id",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.diag_info_link_id",			"target_field": "opcua.diag_info_link_id",			"ignore_missing": true } },
     { "pipeline": { "name": "zeek.common" } }
   ]
 }

salt/elasticsearch/files/ingest/zeek.opcua_binary_browse

@@ -11,7 +11,7 @@
     { "rename":   { "field": "message2.browse_view_id_numeric",			"target_field": "opcua.identifier_numeric",		"ignore_missing": true } },
     { "rename":   { "field": "message2.browse_view_description_timestamp",	"target_field": "opcua.view.description_timestamp",	"ignore_missing": true } },
     { "rename":   { "field": "message2.browse_view_description_view_version",	"target_field": "opcua.description.view_version",	"ignore_missing": true } },
-    { "rename":   { "field": "message2.browse_description_link_id",		"target_field": "opcua.description.link_id",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_description_link_id",		"target_field": "opcua.description_link_id",		"ignore_missing": true } },
     { "rename":   { "field": "message2.req_max_ref_nodes",			"target_field": "opcua.request.max_ref_nodes",		"ignore_missing": true } },  
     { "pipeline": { "name": "zeek.common" } }
   ]

salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info

@@ -3,8 +3,8 @@
   "processors" : [
     { "remove":   { "field": ["host"],													"ignore_failure": true } },
     { "json":     { "field": "message",					"target_field": "message2",					"ignore_failure": true } },
-    { "rename":   { "field": "message2.browse_diag_info_link_id",	"target_field": "opcua.browse_session_diag_info.link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_diag_info_link_id",	"target_field": "opcua.browse_session_diag_info_link_id",	"ignore_missing": true } },
-    { "rename":   { "field": "message2.diag_info_link_id", 		"target_field": "opcua.diag_info.link_id",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.diag_info_link_id", 		"target_field": "opcua.diag_info_link_id",			"ignore_missing": true } },
     { "pipeline": { "name": "zeek.common" } }
   ]
 }

salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result

@@ -3,9 +3,9 @@
   "processors" : [
     { "remove":   { "field": ["host"],											"ignore_failure": true } },
     { "json":     { "field": "message",					"target_field": "message2",			"ignore_failure": true } },
-    { "rename":   { "field": "message2.browse_response_link_id",	"target_field": "opcua.response.link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_response_link_id",	"target_field": "opcua.response_link_id",	"ignore_missing": true } },
-    { "rename":   { "field": "message2.browse_reference.link_id",	"target_field": "opcua.reference.link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_reference_link_id",	"target_field": "opcua.reference_link_id",	"ignore_missing": true } },
-    { "rename":   { "field": "message2.status_code.link_id",		"target_field": "opcua.status_code.link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.status_code_link_id",		"target_field": "opcua.status_code_link_id",	"ignore_missing": true } },
     { "pipeline": { "name": "zeek.common" } }
   ]
 }

salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token

@@ -3,7 +3,7 @@
   "processors" : [
     { "remove":   { "field": ["host"],										"ignore_failure": true } },
     { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
-    { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token.link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token_link_id",	"ignore_missing": true } },
     { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token.policy_id",	"ignore_missing": true } },
     { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token.type",	"ignore_missing": true } },
     { "pipeline": { "name": "zeek.common" } }

salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token

@@ -3,7 +3,7 @@
   "processors" : [
     { "remove":   { "field": ["host"],                                                                                                         "ignore_failure": true } },
     { "json":     { "field": "message",			                 "target_field": "message2",		                               "ignore_failure": true } },
-    { "rename":   { "field": "message2.user_token_link_id", 	         "target_field": "opcua.user_token.link_id",		               "ignore_missing": true } },
+    { "rename":   { "field": "message2.user_token_link_id", 	         "target_field": "opcua.user_token_link_id",		               "ignore_missing": true } },
     { "rename":   { "field": "message2.user_token_type",                 "target_field": "opcua.user_token.type",                              "ignore_missing": true } },
     { "rename":   { "field": "message2.user_token_sec_policy_uri",       "target_field": "opcua.user_token.security_policy_uri",               "ignore_missing": true } },
     { "pipeline": { "name": "zeek.common" } }