From bc31e19e3753656fc4bf245be958943e526c2dab Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Mon, 5 Oct 2020 11:34:29 -0400
Subject: [PATCH] Put back rule.category for Wazuh alerts

---
 salt/elasticsearch/files/ingest/ossec | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/salt/elasticsearch/files/ingest/ossec b/salt/elasticsearch/files/ingest/ossec
index 5557f7a56..deb34168c 100644
--- a/salt/elasticsearch/files/ingest/ossec
+++ b/salt/elasticsearch/files/ingest/ossec
@@ -38,6 +38,21 @@
     { "rename":         { "field": "decoder.name",                   "target_field": "event.dataset",         "ignore_missing": true  } },
     { "rename":         { "field": "rule.description",                   "target_field": "rule.name",         "ignore_missing": true  } },
     { "rename":         { "field": "rule.id",                            "target_field": "rule.uuid",         "ignore_missing": true  } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 1",          "field": "rule.category", "value": "None"                               } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 2",          "field": "rule.category", "value": "System low priority notification"   } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 3",          "field": "rule.category", "value": "Successful/authorized event"        } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 4",          "field": "rule.category", "value": "System low priority error"  } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 5",          "field": "rule.category", "value": "User generated error"               } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 6",          "field": "rule.category", "value": "Low relevance attack"               } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 7",          "field": "rule.category", "value": "\"Bad word\" matching"              } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 8",          "field": "rule.category", "value": "First time seen"                    } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 9",          "field": "rule.category", "value": "Error from invalid source"  } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 10",                 "field": "rule.category", "value": "Multiple user generated errors"     } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 11",                 "field": "rule.category", "value": "Integrity checking warning"         } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 12",                 "field": "rule.category", "value": "High importance event"              } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 13",                 "field": "rule.category", "value": "Unusal error (high importance)"     } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 14",                 "field": "rule.category", "value": "High importance security event"     } },
+    { "set":            { "if": "ctx.rule != null && ctx.rule.level == 15",                 "field": "rule.category", "value": "Severe attack"                      } },
     { "set":         { "if": "ctx.rule != null && ctx.rule.level >= 1 && ctx.rule.level <=7",   "field": "event.severity", "value": 1, "override": true }  },
     { "set":         { "if": "ctx.rule != null && ctx.rule.level >= 8 && ctx.rule.level <=11",   "field": "event.severity", "value": 2, "override": true }  },
     { "set":         { "if": "ctx.rule != null && ctx.rule.level >= 12 && ctx.rule.level <=14",   "field": "event.severity", "value": 3, "override": true }  },