update ingest files

2025-12-06 17:22:49 +01:00 · 2020-04-05 20:40:00 +00:00
parent 35fc87e5f6
commit 9e50387eec
6 changed files with 22 additions and 21 deletions
--- a/salt/elasticsearch/files/ingest/ossec.alert
+++ b/salt/elasticsearch/files/ingest/ossec.alert
@@ -33,6 +33,7 @@
    { "rename":         { "field": "data.win.eventdata.user",                   "target_field": "user.name",            "ignore_missing": true  } },
    { "rename":         { "field": "data.win.system.eventID",                   "target_field": "event.code",           "ignore_missing": true  } },
    { "rename":         { "field": "predecoder.program_name",                   "target_field": "process.name",         "ignore_missing": true  } },
+    { "rename":         { "field": "rule.description",                   "target_field": "rule.name",         "ignore_missing": true  } },
    { "set":            { "if": "ctx.rule.level == 1",          "field": "rule.category", "value": "None"                               } },
    { "set":            { "if": "ctx.rule.level == 2",          "field": "rule.category", "value": "System low priority notification"   } },
    { "set":            { "if": "ctx.rule.level == 3",          "field": "rule.category", "value": "Successful/authorized event"        } },
--- a/salt/elasticsearch/files/ingest/strelka.file
+++ b/salt/elasticsearch/files/ingest/strelka.file
@@ -5,7 +5,7 @@
    { "rename":         { "field": "message2.file",        "target_field": "file",          "ignore_missing": true  } },
    { "rename":         { "field": "message2.scan",        "target_field": "scan",          "ignore_missing": true  } },
    { "rename":         { "field": "message2.request",        "target_field": "request",          "ignore_missing": true  } },
-    { "rename":         { "field": "scan.hash",        "target_field": "file.hash",          "ignore_missing": true  } },
+    { "rename":         { "field": "scan.hash",        "target_field": "hash",          "ignore_missing": true  } },
    { "remove":         { "field": ["host", "path"],                                         "ignore_missing": true  } },
    { "pipeline":       { "name": "common"                                                                                   } }
  ]
--- a/salt/elasticsearch/files/ingest/zeek.dnp3
+++ b/salt/elasticsearch/files/ingest/zeek.dnp3
@@ -3,9 +3,9 @@
  "processors" : [
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.fc_request",	"target_field": "fc_request",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fc_reply", 	"target_field": "fc_reply",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.iin", 		"target_field": "iin",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fc_request",	"target_field": "dnp3.fc_request",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fc_reply", 	"target_field": "dnp3.fc_reply",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.iin", 		"target_field": "dnp3.iin",			"ignore_missing": true 	} },
    { "pipeline":       { "name": "zeek.common"                                                                                   } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/zeek.files
+++ b/salt/elasticsearch/files/ingest/zeek.files
@@ -4,8 +4,8 @@
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.fuid", 	 	"target_field": "log.id.fuid",			"ignore_missing": true 	} },
-    { "rename":         { "field": "message2.rx_hosts",         "target_field": "file.receive_ip",            "ignore_missing": true  } },
-    { "rename": 	{ "field": "message2.tx_hosts", 	"target_field": "file.transmit_ip",		"ignore_missing": true 	} },
+    { "rename":         { "field": "message2.rx_hosts",         "target_field": "destination.ip",            "ignore_missing": true  } },
+    { "rename": 	{ "field": "message2.tx_hosts", 	"target_field": "source.ip",		"ignore_missing": true 	} },
    { "set":         { "field": "server.ip",         "value": "{{source.ip}}",            "ignore_failure": true  } },
    { "set":         { "field": "client.ip",         "value": "{{destination.ip}}",            "ignore_failure": true  } },
    { "rename": 	{ "field": "message2.conn_uids", 	"target_field": "log.id.uids",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.notice
+++ b/salt/elasticsearch/files/ingest/zeek.notice
@@ -7,20 +7,20 @@
    { "rename": 	{ "field": "message2.mime", 		"target_field": "file.mimetype",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.desc", 		"target_field": "file.description",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.note", 		"target_field": "note",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.msg", 		"target_field": "msg",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.sub", 		"target_field": "sub_msg",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.p", 		"target_field": "p",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.n", 		"target_field": "n",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.peer_descr",	"target_field": "peer_description",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.actions", 		"target_field": "action",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.suppress_for", 	"target_field": "suppress_for",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dropped", 		"target_field": "dropped",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_country_code",	"target_field": "destination_country_code",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_region", 	"target_field": "destination_region",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_city", 	"target_field": "destination_city",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_latitude", 	"target_field": "destination_latitude",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_longitude", 	"target_field": "destination_longitude",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.note", 		"target_field": "notice.note",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.msg", 		"target_field": "notice.message",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.sub", 		"target_field": "notice.sub_message",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.p", 		"target_field": "notice.p",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.n", 		"target_field": "notice.n",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.peer_descr",	"target_field": "notice.peer_description",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.actions", 		"target_field": "notice.action",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.suppress_for", 	"target_field": "notice.suppress_for",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dropped", 		"target_field": "notice.dropped",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_country_code",	"target_field": "geo.destination_country_code",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_region", 	"target_field": "geo.destination_region",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_city", 	"target_field": "geo.destination_city",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_latitude", 	"target_field": "geo.destination_latitude",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_longitude", 	"target_field": "geo.destination_longitude",	"ignore_missing": true 	} },
    { "pipeline":       { "name": "zeek.common"                                                                                   } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/zeek.rfb
+++ b/salt/elasticsearch/files/ingest/zeek.rfb
@@ -8,7 +8,7 @@
    { "rename": 	{ "field": "message2.server_major_version",	"target_field": "rfb.server_major_version",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.server_minor_version",	"target_field": "rfb.server_minor_version",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.authentication_method",	"target_field": "rfb.authentication.method","ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.auth", 			"target_field": "rfb.authenticaiton.success",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.auth", 			"target_field": "rfb.authentication.success",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.share_flag", 	"target_field": "rfb.share_flag",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.desktop_name", 	"target_field": "rfb.desktop.name",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.width", 		"target_field": "rfb.desktop.width",		"ignore_missing": true 	} },