From 9d63a477929e72e9b4aaf923ecee98620dd23904 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 29 Nov 2023 12:01:43 -0500 Subject: [PATCH] Certificate hash --- salt/elasticsearch/files/ingest/zeek.x509 | 79 ++++++++++++----------- 1 file changed, 40 insertions(+), 39 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.x509 b/salt/elasticsearch/files/ingest/zeek.x509 index 640ea81e3..64d06131a 100644 --- a/salt/elasticsearch/files/ingest/zeek.x509 +++ b/salt/elasticsearch/files/ingest/zeek.x509 @@ -3,44 +3,45 @@ "processors" : [ { "set": { "field": "event.dataset", "value": "x509" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id", "target_field": "log.id.fuid", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.version", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.version", "target_field": "x509.certificate.version", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.serial", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.serial", "target_field": "x509.certificate.serial", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.subject", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.subject", "target_field": "x509.certificate.subject", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.issuer", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.issuer", "target_field": "x509.certificate.issuer", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.not_valid_before", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.not_valid_before", "target_field": "x509.certificate.not_valid_before", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.not_valid_after", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.not_valid_after", "target_field": "x509.certificate.not_valid_after", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.key_alg", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.key_alg", "target_field": "x509.certificate.key.algorithm", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.sig_alg", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.sig_alg", "target_field": "x509.certificate.signing_algorithm", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.key_type", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.key_type", "target_field": "x509.certificate.key.type", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.key_length", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.key_length", "target_field": "x509.certificate.key.length", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.exponent", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.exponent", "target_field": "x509.certificate.exponent", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.curve", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.curve", "target_field": "x509.certificate.curve", "ignore_missing": true } }, - { "dot_expander": { "field": "san.dns", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.san.dns", "target_field": "x509.san_dns", "ignore_missing": true } }, - { "dot_expander": { "field": "san.uri", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.san.uri", "target_field": "x509.san_uri", "ignore_missing": true } }, - { "dot_expander": { "field": "san.email", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.san.email", "target_field": "x509.san_email", "ignore_missing": true } }, - { "dot_expander": { "field": "san.ip", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.san.ip", "target_field": "x509.san_ip", "ignore_missing": true } }, - { "dot_expander": { "field": "basic_constraints.ca", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.basic_constraints.ca", "target_field": "x509.basic_constraints.ca", "ignore_missing": true } }, - { "dot_expander": { "field": "basic_constraints.path_length", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.basic_constraints.path_length", "target_field": "x509.basic_constraints.path_length", "ignore_missing": true } }, - { "pipeline": { "name": "zeek.common_ssl" } } + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id", "target_field": "log.id.fuid", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.version", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.version", "target_field": "x509.certificate.version", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.serial", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.serial", "target_field": "x509.certificate.serial", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.subject", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.subject", "target_field": "x509.certificate.subject", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.issuer", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.issuer", "target_field": "x509.certificate.issuer", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.not_valid_before", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.not_valid_before", "target_field": "x509.certificate.not_valid_before", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.not_valid_after", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.not_valid_after", "target_field": "x509.certificate.not_valid_after", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.key_alg", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.key_alg", "target_field": "x509.certificate.key.algorithm", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.sig_alg", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.sig_alg", "target_field": "x509.certificate.signing_algorithm", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.key_type", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.key_type", "target_field": "x509.certificate.key.type", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.key_length", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.key_length", "target_field": "x509.certificate.key.length", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.exponent", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.exponent", "target_field": "x509.certificate.exponent", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.curve", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.curve", "target_field": "x509.certificate.curve", "ignore_missing": true } }, + { "dot_expander": { "field": "san.dns", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.san.dns", "target_field": "x509.san_dns", "ignore_missing": true } }, + { "dot_expander": { "field": "san.uri", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.san.uri", "target_field": "x509.san_uri", "ignore_missing": true } }, + { "dot_expander": { "field": "san.email", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.san.email", "target_field": "x509.san_email", "ignore_missing": true } }, + { "dot_expander": { "field": "san.ip", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.san.ip", "target_field": "x509.san_ip", "ignore_missing": true } }, + { "dot_expander": { "field": "basic_constraints.ca", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.basic_constraints.ca", "target_field": "x509.basic_constraints.ca", "ignore_missing": true } }, + { "dot_expander": { "field": "basic_constraints.path_length", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.basic_constraints.path_length", "target_field": "x509.basic_constraints.path_length", "ignore_missing": true } }, + { "rename": { "field": "message2.fingerprint", "target_field": "hash.sha256", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common_ssl" } } ] }