Merge remote-tracking branch 'remotes/origin/2.4/dev' into 2.4/firewall

2025-12-06 17:22:49 +01:00 · 2023-01-31 13:32:51 -05:00
parent 16e1e297a0 98bea0322e
commit 8cbafb52d8
10 changed files with 49 additions and 48 deletions
--- a/salt/elasticsearch/files/ingest/import.wel
+++ b/salt/elasticsearch/files/ingest/import.wel
@@ -1,10 +1,11 @@
 {
  "description" : "import.wel",
  "processors" : [
-    { "remove":         { "field": ["event.created","timestamp", "winlog.event_data.UtcTime", "event_record_id"],     "ignore_failure": true                                               } },
-    { "pipeline":      { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'",   "name": "sysmon"  }  },
-    { "pipeline":      { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'",  "name":"win.eventlogs" }  },
-    { "dissect":       { "field": "log.file.name", "pattern" : "/tmp/%{import.id}.evtx" } },
-    { "pipeline":    { "name": "common" } }
+    { "set":           { "field": "event.ingested", "value": "{{ @timestamp }}"  } },
+    { "set" :          { "field" : "@timestamp", "value" : "{{ event.created }}" } },
+    { "remove":        { "field": [ "event_record_id", "event.created" , "timestamp" , "winlog.event_data.UtcTime" ], "ignore_failure": true } },
+    { "pipeline":      { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'",   "name": "sysmon" } },
+    { "pipeline":      { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'",  "name":"win.eventlogs" } },
+    { "pipeline":      { "name": "common" } }
  ]
-}
+}
--- a/salt/elasticsearch/files/ingest/suricata.dhcp
+++ b/salt/elasticsearch/files/ingest/suricata.dhcp
@@ -1,15 +1,17 @@
 {
  "description" : "suricata.dhcp",
  "processors" : [
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.app_proto", 	"target_field": "network.protocol",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.assigned_ip",	"target_field": "dhcp.assigned_ip",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.client_ip", 	"target_field": "client.address",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.client_mac", 	"target_field": "host.mac",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.dhcp_type", 	"target_field": "dhcp.message_types",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.hostname", 	"target_field": "host.hostname",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.type", 	"target_field": "dhcp.type",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.id", 		"target_field": "dhcp.id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.app_proto",	"target_field": "network.protocol",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.assigned_ip",	"target_field": "dhcp.assigned_ip",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.client_ip", 	"target_field": "client.address",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.client_mac", 	"target_field": "host.mac",		"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.dhcp_type", 	"target_field": "dhcp.message_types",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.hostname", 	"target_field": "host.hostname",	"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.type",	"target_field": "dhcp.type",		"ignore_missing": true		} },
+    { "rename": 	{ "field": "message2.dhcp.id", 		"target_field": "dhcp.id",		"ignore_missing": true		} },
+    { "set":		{ "if": "ctx.dhcp?.type == 'request'",	"field": "server.address",		"value": "{{destination.ip}}"	} },
+    { "set":		{ "if": "ctx.dhcp?.type == 'reply'",	"field": "server.address",		"value": "{{source.ip}}"	} },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/zeek.files
+++ b/salt/elasticsearch/files/ingest/zeek.files
@@ -1,7 +1,7 @@
 {
  "description" : "zeek.files",
  "processors" : [
-    { "set": { "field": "event.dataset", "value": "files" } },
+    { "set": { "field": "event.dataset", "value": "file" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.fuid", 	 	"target_field": "log.id.fuid",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.tunnels
+++ b/salt/elasticsearch/files/ingest/zeek.tunnels
@@ -1,7 +1,7 @@
 {
  "description" : "zeek.tunnels",
  "processors" : [
-    { "set": { "field": "event.dataset", "value": "tunnels" } },
+    { "set": { "field": "event.dataset", "value": "tunnel" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.tunnel_type", 	"target_field": "tunnel.type",		"ignore_missing": true 	} },