Make scan.pe.flags a string

2025-12-06 17:22:49 +01:00 · 2024-01-24 15:08:38 +00:00
parent cbdaf2e9a1
commit d23d367058
1 changed files with 3 additions and 2 deletions
--- a/salt/elasticsearch/files/ingest/strelka.file
+++ b/salt/elasticsearch/files/ingest/strelka.file
@@ -67,7 +67,8 @@
    { "set":         { "if": "ctx.scan?.pe?.image_version == '0'",   "field": "scan.pe.image_version", "value": "0.0", "override": true }  },
    { "set":         { "field": "observer.name",        "value": "{{agent.name}}" }},
    { "convert" :    { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
-    { "remove":         { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"],                                         "ignore_missing": true  } },
-    { "pipeline":       { "name": "common"                                                                                   } }
+    { "convert" :    { "field" : "scan.pe.flags","type": "string", "ignore_missing":true }},
+    { "remove":      { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"],                                         "ignore_missing": true  } },
+    { "pipeline":    { "name": "common"                                                                                   } }
  ]
 }