From c74ace89bae108dbccd7f4f75241fb5058ef7ef6 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Thu, 21 May 2020 14:34:00 -0400
Subject: [PATCH] Initial support  - Ingest community_id

---
 salt/elasticsearch/files/ingest/zeek.common | 9 +++++++++
 salt/elasticsearch/files/ingest/zeek.http   | 1 +
 salt/elasticsearch/files/ingest/zeek.notice | 2 +-
 salt/elasticsearch/files/ingest/zeek.smtp   | 1 +
 4 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/salt/elasticsearch/files/ingest/zeek.common b/salt/elasticsearch/files/ingest/zeek.common
index c31625db6..5859b354b 100644
--- a/salt/elasticsearch/files/ingest/zeek.common
+++ b/salt/elasticsearch/files/ingest/zeek.common
@@ -7,6 +7,15 @@
     { "dot_expander":   { "field": "id.orig_p",                 "path": "message2",                     "ignore_failure": true  } },
     { "dot_expander":   { "field": "id.resp_h",                 "path": "message2",                     "ignore_failure": true  } },
     { "dot_expander":   { "field": "id.resp_p",                 "path": "message2",                     "ignore_failure": true  } },
+    
+    {"convert":{"field":"message2.id.orig_p","type":"string"}},
+    {"convert":{"field":"message2.id.resp_p","type":"string"}},
+
+    {"community_id": {"if": "ctx.network?.transport != null", "field":["message2.id.orig_h","message2.id.orig_p","message2.id.resp_h","message2.id.resp_p","network.transport"],"target_field":"network.community_id"}},
+
+    {"convert":{"field":"message2.id.orig_p","type":"integer"}},
+    {"convert":{"field":"message2.id.resp_p","type":"integer"}},
+
     { "rename":         { "field": "message2.id.orig_h",        "target_field": "source.ip",            "ignore_missing": true  } },
     { "rename":         { "field": "message2.id.orig_p",        "target_field": "source.port",          "ignore_missing": true  } },
     { "rename":         { "field": "message2.id.resp_h",        "target_field": "destination.ip",       "ignore_missing": true  } },
diff --git a/salt/elasticsearch/files/ingest/zeek.http b/salt/elasticsearch/files/ingest/zeek.http
index a1354044c..3368e45e1 100644
--- a/salt/elasticsearch/files/ingest/zeek.http
+++ b/salt/elasticsearch/files/ingest/zeek.http
@@ -29,6 +29,7 @@
     { "script":	{ "lang": "painless", "source": "ctx.uri_length = ctx.uri.length()", 			"ignore_failure": true 	} },
     { "script":	{ "lang": "painless", "source": "ctx.useragent_length = ctx.useragent.length()",	"ignore_failure": true 	} },
     { "script":	{ "lang": "painless", "source": "ctx.virtual_host_length = ctx.virtual_host.length()", 	"ignore_failure": true	} },
+    { "set":      { "field": "network.transport",        "value": "tcp"  } },
     { "pipeline":       { "name": "zeek.common"											} }
   ]
 }
diff --git a/salt/elasticsearch/files/ingest/zeek.notice b/salt/elasticsearch/files/ingest/zeek.notice
index 4e54f325d..b662393f6 100644
--- a/salt/elasticsearch/files/ingest/zeek.notice
+++ b/salt/elasticsearch/files/ingest/zeek.notice
@@ -6,7 +6,7 @@
     { "rename": 	{ "field": "message2.fuid", 		"target_field": "log.id.fuid",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.mime", 		"target_field": "file.mimetype",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.desc", 		"target_field": "file.description",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.note", 		"target_field": "notice.note",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.msg", 		"target_field": "notice.message",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.sub", 		"target_field": "notice.sub_message",		"ignore_missing": true 	} },
diff --git a/salt/elasticsearch/files/ingest/zeek.smtp b/salt/elasticsearch/files/ingest/zeek.smtp
index 473b4cce5..9bfb1e3e1 100644
--- a/salt/elasticsearch/files/ingest/zeek.smtp
+++ b/salt/elasticsearch/files/ingest/zeek.smtp
@@ -25,6 +25,7 @@
     { "rename": 	{ "field": "message2.tls", 		"target_field": "smtp.tls",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.fuids", 		"target_field": "log.id.fuids",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.is_webmail",	"target_field": "smtp.is_webmail",		"ignore_missing": true 	} },
+    { "set":      { "field": "network.transport",        "value": "tcp"  } },
     { "pipeline":       { "name": "zeek.common"                                                                                   } }
   ]
 }