From ae45d40eca779ebb06403b3ce5ffabc1572f32e9 Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Wed, 1 Nov 2023 13:34:30 +0000
Subject: [PATCH] Add Sublime Platform ingest pipeline

---
 salt/elasticsearch/files/ingest/sublime | 34 +++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 salt/elasticsearch/files/ingest/sublime

diff --git a/salt/elasticsearch/files/ingest/sublime b/salt/elasticsearch/files/ingest/sublime
new file mode 100644
index 000000000..c26f93c01
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/sublime
@@ -0,0 +1,34 @@
+{
+  "description" : " Email alerts from Sublime",
+  "processors" : [
+    { "set":         { "field": "event.module", "value": "sublime"  } },
+    { "set":         { "field": "event.dataset", "value": "alert"  } },
+    { "set":         { "field": "event.severity", "value": 3, "override": true }  },
+    { "set":         { "field": "rule.name", "value": "Sublime Platform: {{ flagged_rules.0.name }}", "override": true }  },
+    { "set":         { "field": "sublime.message_group_id", "value": "{{ _id }}", "override": true }  },
+    { "set":         { "field": "email.address", "value": "{{ messages.0.recipients.0.email }}", "override": true }  },
+    { "set":         { "field": "email.forwarded_recipents", "value": "{{ messages.0.forwarded_receipients }}", "override": true }  },
+    { "set":         { "field": "email.sender.address", "value": "{{ messages.0.sender.email }}", "override": true }  },
+    { "set":         { "field": "email.subject", "value": "{{ messages.0.subject }}", "override": true }  },
+    { "set":         { "field": "email.forwarded_at", "value": "{{ messages.0.forwarded_at }}", "override": true }  },
+    { "set":         { "field": "email.created_at", "value": "{{ messages.0.created_at }}", "override": true }  },
+    { "set":         { "field": "email.read_at", "value": "{{ messages.0.read_at }}", "override": true }  },
+    { "set":         { "field": "email.replied_at", "value": "{{ messages.0.replied_at }}", "override": true }  },
+    {
+        "grok": {
+          "field": "sublime.request_url",
+          "patterns": ["^https://api.%{DATA:sublime_host}/v0%{GREEDYDATA}$"],
+          "ignore_failure": true
+        }
+    },
+
+    { "rename":      { "field": "sublime_host", "target_field": "sublime.url", "ignore_missing": true } },
+    { "rename":      { "field": "data", "target_field": "sublime", "ignore_missing": true } },
+    { "rename":      { "field": "flagged_rules", "target_field": "sublime.flagged_rules", "ignore_missing": true } },
+    { "rename":      { "field": "organization_id", "target_field": "sublime.organization_id", "ignore_missing": true } },
+    { "rename":      { "field": "review_status", "target_field": "sublime.review_status", "ignore_missing": true } },
+    { "rename":      { "field": "state", "target_field": "sublime.state", "ignore_missing": true } },
+    { "rename":      { "field": "user_reports", "target_field": "sublime.user_reports", "ignore_missing": true } },
+    { "pipeline":    { "name": "common" } }
+  ]
+}