From a38e312df427b89464c073a0888dfae31ee30691 Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Tue, 22 Nov 2022 13:36:27 +0000
Subject: [PATCH] Add COTP and TDS ingest pipelines

---
 salt/elasticsearch/files/ingest/zeek.cotp          | 10 ++++++++++
 salt/elasticsearch/files/ingest/zeek.tds           |  9 +++++++++
 salt/elasticsearch/files/ingest/zeek.tds_rpc       | 10 ++++++++++
 salt/elasticsearch/files/ingest/zeek.tds_sql_batch | 10 ++++++++++
 4 files changed, 39 insertions(+)
 create mode 100644 salt/elasticsearch/files/ingest/zeek.cotp
 create mode 100644 salt/elasticsearch/files/ingest/zeek.tds
 create mode 100644 salt/elasticsearch/files/ingest/zeek.tds_rpc
 create mode 100644 salt/elasticsearch/files/ingest/zeek.tds_sql_batch

diff --git a/salt/elasticsearch/files/ingest/zeek.cotp b/salt/elasticsearch/files/ingest/zeek.cotp
new file mode 100644
index 000000000..fb4b090cd
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/zeek.cotp
@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.cotp",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.pdu_code", 		"target_field": "cotp.pdu.code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.pdu_name", 	"target_field": "cotp.pdu.name",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/zeek.tds b/salt/elasticsearch/files/ingest/zeek.tds
new file mode 100644
index 000000000..f9922f52c
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/zeek.tds
@@ -0,0 +1,9 @@
+{
+  "description" : "zeek.tds",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.command", 		"target_field": "tds.command",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/zeek.tds_rpc b/salt/elasticsearch/files/ingest/zeek.tds_rpc
new file mode 100644
index 000000000..379a1efe5
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/zeek.tds_rpc
@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.tds_rpc",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.procedure_name", 		"target_field": "tds.procedure_name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.parameters", 	"target_field": "tds.parameters",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/zeek.tds_sql_batch b/salt/elasticsearch/files/ingest/zeek.tds_sql_batch
new file mode 100644
index 000000000..00174feb6
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/zeek.tds_sql_batch
@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.tds_sql_batch",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.header_type", 		"target_field": "tds.header_type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.query", 	"target_field": "tds.query",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}