From ec6638a2768908bf947ab26dd227b8f86939a088 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 2 Mar 2020 19:10:18 +0000 Subject: [PATCH] src/dst ip/port fields to ECS --- salt/elasticsearch/files/ingest/bro_conn | 10 +++++----- salt/elasticsearch/files/ingest/bro_dce_rpc | 8 ++++---- salt/elasticsearch/files/ingest/bro_dhcp | 4 ++-- salt/elasticsearch/files/ingest/bro_dnp3 | 8 ++++---- salt/elasticsearch/files/ingest/bro_dns | 10 +++++----- salt/elasticsearch/files/ingest/bro_dpd | 10 +++++----- salt/elasticsearch/files/ingest/bro_files | 2 +- salt/elasticsearch/files/ingest/bro_ftp | 14 +++++++------- salt/elasticsearch/files/ingest/bro_http | 8 ++++---- salt/elasticsearch/files/ingest/bro_intel | 8 ++++---- salt/elasticsearch/files/ingest/bro_irc | 8 ++++---- salt/elasticsearch/files/ingest/bro_kerberos | 8 ++++---- salt/elasticsearch/files/ingest/bro_modbus | 8 ++++---- salt/elasticsearch/files/ingest/bro_mysql | 8 ++++---- salt/elasticsearch/files/ingest/bro_notice | 10 +++++----- salt/elasticsearch/files/ingest/bro_ntlm | 8 ++++---- salt/elasticsearch/files/ingest/bro_radius | 8 ++++---- salt/elasticsearch/files/ingest/bro_rdp | 8 ++++---- salt/elasticsearch/files/ingest/bro_rfb | 8 ++++---- salt/elasticsearch/files/ingest/bro_signatures | 8 ++++---- salt/elasticsearch/files/ingest/bro_sip | 8 ++++---- salt/elasticsearch/files/ingest/bro_smb_files | 8 ++++---- salt/elasticsearch/files/ingest/bro_smb_mapping | 8 ++++---- salt/elasticsearch/files/ingest/bro_smtp | 8 ++++---- salt/elasticsearch/files/ingest/bro_snmp | 8 ++++---- salt/elasticsearch/files/ingest/bro_socks | 8 ++++---- salt/elasticsearch/files/ingest/bro_software | 4 ++-- salt/elasticsearch/files/ingest/bro_ssh | 8 ++++---- salt/elasticsearch/files/ingest/bro_ssl | 8 ++++---- salt/elasticsearch/files/ingest/bro_syslog | 10 +++++----- salt/elasticsearch/files/ingest/bro_tunnels | 8 ++++---- salt/elasticsearch/files/ingest/bro_weird | 8 ++++---- salt/elasticsearch/files/ingest/common | 4 ++-- 33 files changed, 131 insertions(+), 131 deletions(-) diff --git a/salt/elasticsearch/files/ingest/bro_conn b/salt/elasticsearch/files/ingest/bro_conn index b12be156e..2fe68ec42 100644 --- a/salt/elasticsearch/files/ingest/bro_conn +++ b/salt/elasticsearch/files/ingest/bro_conn @@ -4,14 +4,14 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.service", "target_field": "service", "ignore_missing": true } }, { "rename": { "field": "message2.duration", "target_field": "duration", "ignore_missing": true } }, { "rename": { "field": "message2.orig_bytes", "target_field": "original_bytes", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_dce_rpc b/salt/elasticsearch/files/ingest/bro_dce_rpc index 105905245..902785b92 100644 --- a/salt/elasticsearch/files/ingest/bro_dce_rpc +++ b/salt/elasticsearch/files/ingest/bro_dce_rpc @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.rtt", "target_field": "rtt", "ignore_missing": true } }, { "rename": { "field": "message2.named_pipe", "target_field": "named_pipe", "ignore_missing": true } }, { "rename": { "field": "message2.endpoint", "target_field": "endpoint", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_dhcp b/salt/elasticsearch/files/ingest/bro_dhcp index 010d0f85b..88d4f94c2 100644 --- a/salt/elasticsearch/files/ingest/bro_dhcp +++ b/salt/elasticsearch/files/ingest/bro_dhcp @@ -8,8 +8,8 @@ { "rename": { "field": "message2.lease_time", "target_field": "lease_time", "ignore_missing": true } }, { "rename": { "field": "message2.trans_id", "target_field": "transaction_id", "ignore_missing": true } }, { "rename": { "field": "message2.assigned_addr", "target_field": "assigned_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.client_addr", "target_field": "source_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.server_addr", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.client_addr", "target_field": "source.ip", "ignore_missing": true } }, + { "rename": { "field": "message2.server_addr", "target_field": "destination.ip", "ignore_missing": true } }, { "rename": { "field": "message2.requested_addr", "target_field": "requested_ip", "ignore_missing": true } }, { "rename": { "field": "message2.domain", "target_field": "domain_name", "ignore_missing": true } }, { "rename": { "field": "message2.host_name", "target_field": "hostname", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_dnp3 b/salt/elasticsearch/files/ingest/bro_dnp3 index bebb85ecb..3797e14fe 100644 --- a/salt/elasticsearch/files/ingest/bro_dnp3 +++ b/salt/elasticsearch/files/ingest/bro_dnp3 @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.fc_request", "target_field": "fc_request", "ignore_missing": true } }, { "rename": { "field": "message2.fc_reply", "target_field": "fc_reply", "ignore_missing": true } }, { "rename": { "field": "message2.iin", "target_field": "iin", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_dns b/salt/elasticsearch/files/ingest/bro_dns index be8d59294..3857e8e07 100644 --- a/salt/elasticsearch/files/ingest/bro_dns +++ b/salt/elasticsearch/files/ingest/bro_dns @@ -4,14 +4,14 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.trans_id", "target_field": "transaction_id", "ignore_missing": true } }, { "rename": { "field": "message2.rtt", "target_field": "rtt", "ignore_missing": true } }, { "rename": { "field": "message2.query", "target_field": "query", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_dpd b/salt/elasticsearch/files/ingest/bro_dpd index caf66d39e..963d6cd1d 100644 --- a/salt/elasticsearch/files/ingest/bro_dpd +++ b/salt/elasticsearch/files/ingest/bro_dpd @@ -4,14 +4,14 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.analyzer", "target_field": "analyzer", "ignore_missing": true } }, { "rename": { "field": "message2.failure_reason", "target_field": "failure_reason", "ignore_missing": true } }, { "pipeline": { "name": "bro_common" } } diff --git a/salt/elasticsearch/files/ingest/bro_files b/salt/elasticsearch/files/ingest/bro_files index 0472b357b..5d138557d 100644 --- a/salt/elasticsearch/files/ingest/bro_files +++ b/salt/elasticsearch/files/ingest/bro_files @@ -4,7 +4,7 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, { "rename": { "field": "message2.tx_hosts", "target_field": "file_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.rx_hosts.0", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.rx_hosts.0", "target_field": "destination.ip", "ignore_missing": true } }, { "remove": { "field": "message2.rx_hosts", "ignore_missing": true } }, { "rename": { "field": "message2.conn_uids", "target_field": "uid", "ignore_missing": true } }, { "remove": { "field": "source", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_ftp b/salt/elasticsearch/files/ingest/bro_ftp index 34775072d..e602f29fb 100644 --- a/salt/elasticsearch/files/ingest/bro_ftp +++ b/salt/elasticsearch/files/ingest/bro_ftp @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.user", "target_field": "username", "ignore_missing": true } }, { "rename": { "field": "message2.password", "target_field": "password", "ignore_missing": true } }, { "rename": { "field": "message2.command", "target_field": "ftp_command", "ignore_missing": true } }, @@ -22,11 +22,11 @@ { "dot_expander": { "field": "data_channel.passive", "path": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.data_channel.passive","target_field": "data_channel_passive", "ignore_missing": true } }, { "dot_expander": { "field": "data_channel.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.data_channel.orig_h","target_field": "data_channel_source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.data_channel.orig_h","target_field": "data_channel_source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "data_channel.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.data_channel.resp_h","target_field": "data_channel_destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.data_channel.resp_h","target_field": "data_channel_destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "data_channel.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.data_channel.resp_p","target_field": "data_channel_destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.data_channel.resp_p","target_field": "data_channel_destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, { "pipeline": { "name": "bro_common" } } ] diff --git a/salt/elasticsearch/files/ingest/bro_http b/salt/elasticsearch/files/ingest/bro_http index 842a12bc9..3756ca323 100644 --- a/salt/elasticsearch/files/ingest/bro_http +++ b/salt/elasticsearch/files/ingest/bro_http @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.trans_depth", "target_field": "trans_depth", "ignore_missing": true } }, { "rename": { "field": "message2.method", "target_field": "method", "ignore_missing": true } }, { "rename": { "field": "message2.host", "target_field": "virtual_host", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_intel b/salt/elasticsearch/files/ingest/bro_intel index 20bf90c5a..9718bd45e 100644 --- a/salt/elasticsearch/files/ingest/bro_intel +++ b/salt/elasticsearch/files/ingest/bro_intel @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "dot_expander": { "field": "seen.indicator", "path": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.seen.indicator", "target_field": "indicator", "ignore_missing": true } }, { "dot_expander": { "field": "seen.indicator_type", "path": "message2", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_irc b/salt/elasticsearch/files/ingest/bro_irc index c2a5ba22d..079c410ee 100644 --- a/salt/elasticsearch/files/ingest/bro_irc +++ b/salt/elasticsearch/files/ingest/bro_irc @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.nick", "target_field": "nick", "ignore_missing": true } }, { "rename": { "field": "message2.user", "target_field": "irc_username", "ignore_missing": true } }, { "rename": { "field": "message2.command", "target_field": "irc_command", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_kerberos b/salt/elasticsearch/files/ingest/bro_kerberos index b338b5c96..83c93476d 100644 --- a/salt/elasticsearch/files/ingest/bro_kerberos +++ b/salt/elasticsearch/files/ingest/bro_kerberos @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.request_type", "target_field": "request_type", "ignore_missing": true } }, { "rename": { "field": "message2.client", "target_field": "client", "ignore_missing": true } }, { "rename": { "field": "message2.service", "target_field": "service", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_modbus b/salt/elasticsearch/files/ingest/bro_modbus index 10e7c271a..3c3b17c45 100644 --- a/salt/elasticsearch/files/ingest/bro_modbus +++ b/salt/elasticsearch/files/ingest/bro_modbus @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.func", "target_field": "function", "ignore_missing": true } }, { "rename": { "field": "message2.exception", "target_field": "exception", "ignore_missing": true } }, { "pipeline": { "name": "bro_common" } } diff --git a/salt/elasticsearch/files/ingest/bro_mysql b/salt/elasticsearch/files/ingest/bro_mysql index a01d57da2..676213b06 100644 --- a/salt/elasticsearch/files/ingest/bro_mysql +++ b/salt/elasticsearch/files/ingest/bro_mysql @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.cmd", "target_field": "mysql_command", "ignore_missing": true } }, { "rename": { "field": "message2.arg", "target_field": "mysql_argument", "ignore_missing": true } }, { "rename": { "field": "message2.success", "target_field": "mysql_success", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_notice b/salt/elasticsearch/files/ingest/bro_notice index 6e43448d5..4ba1b7d88 100644 --- a/salt/elasticsearch/files/ingest/bro_notice +++ b/salt/elasticsearch/files/ingest/bro_notice @@ -6,17 +6,17 @@ { "remove": { "field": "message2.src", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, { "rename": { "field": "message2.mime", "target_field": "file_mime_type", "ignore_missing": true } }, { "rename": { "field": "message2.desc", "target_field": "file_description", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.note", "target_field": "note", "ignore_missing": true } }, { "rename": { "field": "message2.msg", "target_field": "msg", "ignore_missing": true } }, { "rename": { "field": "message2.sub", "target_field": "sub_msg", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_ntlm b/salt/elasticsearch/files/ingest/bro_ntlm index a3d130343..0921a5dbc 100644 --- a/salt/elasticsearch/files/ingest/bro_ntlm +++ b/salt/elasticsearch/files/ingest/bro_ntlm @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.hostname", "target_field": "hostname", "ignore_missing": true } }, { "rename": { "field": "message2.domainname", "target_field": "domain_name", "ignore_missing": true } }, { "rename": { "field": "message2.success", "target_field": "ntlm_success", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_radius b/salt/elasticsearch/files/ingest/bro_radius index c333711d6..35fede6b7 100644 --- a/salt/elasticsearch/files/ingest/bro_radius +++ b/salt/elasticsearch/files/ingest/bro_radius @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.username", "target_field": "username", "ignore_missing": true } }, { "rename": { "field": "message2.mac", "target_field": "mac", "ignore_missing": true } }, { "rename": { "field": "message2.framed_addr", "target_field": "framed_addr", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_rdp b/salt/elasticsearch/files/ingest/bro_rdp index b3cf206a5..49849a8c6 100644 --- a/salt/elasticsearch/files/ingest/bro_rdp +++ b/salt/elasticsearch/files/ingest/bro_rdp @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.cookie", "target_field": "cookie", "ignore_missing": true } }, { "rename": { "field": "message2.result", "target_field": "result", "ignore_missing": true } }, { "rename": { "field": "message2.security_protocol","target_field": "security_protocol", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_rfb b/salt/elasticsearch/files/ingest/bro_rfb index 8f3cc86e7..0e6cb4eb2 100644 --- a/salt/elasticsearch/files/ingest/bro_rfb +++ b/salt/elasticsearch/files/ingest/bro_rfb @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.client_major_version", "target_field": "client_major_version", "ignore_missing": true } }, { "rename": { "field": "message2.client_minor_version", "target_field": "client_minor_version", "ignore_missing": true } }, { "rename": { "field": "message2.server_major_version", "target_field": "server_major_version", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_signatures b/salt/elasticsearch/files/ingest/bro_signatures index 5dd3d9924..9187c94a2 100644 --- a/salt/elasticsearch/files/ingest/bro_signatures +++ b/salt/elasticsearch/files/ingest/bro_signatures @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.note", "target_field": "note", "ignore_missing": true } }, { "rename": { "field": "message2.sig_id", "target_field": "signature_id", "ignore_missing": true } }, { "rename": { "field": "message2.event_msg", "target_field": "event_message", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_sip b/salt/elasticsearch/files/ingest/bro_sip index 3a8b00d62..0d55ca5a0 100644 --- a/salt/elasticsearch/files/ingest/bro_sip +++ b/salt/elasticsearch/files/ingest/bro_sip @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.trans_depth", "target_field": "trans_depth", "ignore_missing": true } }, { "rename": { "field": "message2.method", "target_field": "method", "ignore_missing": true } }, { "rename": { "field": "message2.uri", "target_field": "uri", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_smb_files b/salt/elasticsearch/files/ingest/bro_smb_files index 83ba8bd67..2e552234a 100644 --- a/salt/elasticsearch/files/ingest/bro_smb_files +++ b/salt/elasticsearch/files/ingest/bro_smb_files @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, { "rename": { "field": "message2.action", "target_field": "action", "ignore_missing": true } }, { "remove": { "field": "path", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_smb_mapping b/salt/elasticsearch/files/ingest/bro_smb_mapping index e1b6b5dfb..220a10e2b 100644 --- a/salt/elasticsearch/files/ingest/bro_smb_mapping +++ b/salt/elasticsearch/files/ingest/bro_smb_mapping @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "remove": { "field": "path", "ignore_failure": true } }, { "rename": { "field": "message2.path", "target_field": "path", "ignore_missing": true } }, { "rename": { "field": "message2.service", "target_field": "service", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_smtp b/salt/elasticsearch/files/ingest/bro_smtp index 4bd85a293..d5e9a6d6f 100644 --- a/salt/elasticsearch/files/ingest/bro_smtp +++ b/salt/elasticsearch/files/ingest/bro_smtp @@ -5,13 +5,13 @@ { "remove": { "field": "path", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.trans_depth", "target_field": "trans_depth", "ignore_missing": true } }, { "rename": { "field": "message2.helo", "target_field": "helo", "ignore_missing": true } }, { "rename": { "field": "message2.mailfrom", "target_field": "mail_from", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_snmp b/salt/elasticsearch/files/ingest/bro_snmp index bec88c1af..31eb9514d 100644 --- a/salt/elasticsearch/files/ingest/bro_snmp +++ b/salt/elasticsearch/files/ingest/bro_snmp @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.duration", "target_field": "duration", "ignore_missing": true } }, { "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } }, { "rename": { "field": "message2.community", "target_field": "community", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_socks b/salt/elasticsearch/files/ingest/bro_socks index 38c5dd528..421168baf 100644 --- a/salt/elasticsearch/files/ingest/bro_socks +++ b/salt/elasticsearch/files/ingest/bro_socks @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } }, { "rename": { "field": "message2.user", "target_field": "user", "ignore_missing": true } }, { "rename": { "field": "message2.password", "target_field": "password", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_software b/salt/elasticsearch/files/ingest/bro_software index e742fda9e..c3cfc711b 100644 --- a/salt/elasticsearch/files/ingest/bro_software +++ b/salt/elasticsearch/files/ingest/bro_software @@ -13,8 +13,8 @@ { "rename": { "field": "message2.version.minor3", "target_field": "version_minor3", "ignore_missing": true } }, { "dot_expander": { "field": "version.addl", "path": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.version.addl", "target_field": "version_additional_info", "ignore_missing": true } }, - { "rename": { "field": "message2.host", "target_field": "source_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.host_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.host", "target_field": "source.ip", "ignore_missing": true } }, + { "rename": { "field": "message2.host_p", "target_field": "source.port", "ignore_missing": true } }, { "rename": { "field": "message2.software_type", "target_field": "software_type", "ignore_missing": true } }, { "rename": { "field": "message2.name", "target_field": "name", "ignore_missing": true } }, { "rename": { "field": "message2.unparsed_version", "target_field": "unparsed_version", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_ssh b/salt/elasticsearch/files/ingest/bro_ssh index 7df949503..583e5e1bb 100644 --- a/salt/elasticsearch/files/ingest/bro_ssh +++ b/salt/elasticsearch/files/ingest/bro_ssh @@ -3,13 +3,13 @@ "processors" : [ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "rename": { "field": "message2.hassh", "target_field": "hassh", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_ssl b/salt/elasticsearch/files/ingest/bro_ssl index 04d0fc8ec..83298b323 100644 --- a/salt/elasticsearch/files/ingest/bro_ssl +++ b/salt/elasticsearch/files/ingest/bro_ssl @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } }, { "rename": { "field": "message2.cipher", "target_field": "cipher", "ignore_missing": true } }, { "rename": { "field": "message2.curve", "target_field": "curve", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_syslog b/salt/elasticsearch/files/ingest/bro_syslog index 9599b435c..84d1bcdf2 100644 --- a/salt/elasticsearch/files/ingest/bro_syslog +++ b/salt/elasticsearch/files/ingest/bro_syslog @@ -4,14 +4,14 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.facility", "target_field": "facility", "ignore_missing": true } }, { "rename": { "field": "message2.severity", "target_field": "severity", "ignore_missing": true } }, { "remove": { "field": "message", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_tunnels b/salt/elasticsearch/files/ingest/bro_tunnels index 50c12518f..daec8fba7 100644 --- a/salt/elasticsearch/files/ingest/bro_tunnels +++ b/salt/elasticsearch/files/ingest/bro_tunnels @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.tunnel_type", "target_field": "tunnel_type", "ignore_missing": true } }, { "rename": { "field": "message2.action", "target_field": "action", "ignore_missing": true } }, { "pipeline": { "name": "bro_common" } } diff --git a/salt/elasticsearch/files/ingest/bro_weird b/salt/elasticsearch/files/ingest/bro_weird index b471f5e75..1bf155514 100644 --- a/salt/elasticsearch/files/ingest/bro_weird +++ b/salt/elasticsearch/files/ingest/bro_weird @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.name", "target_field": "name", "ignore_missing": true } }, { "rename": { "field": "message2.addl", "target_field": "additional_info", "ignore_missing": true } }, { "rename": { "field": "message2.notice", "target_field": "notice", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/common b/salt/elasticsearch/files/ingest/common index ed227258e..6463757ca 100644 --- a/salt/elasticsearch/files/ingest/common +++ b/salt/elasticsearch/files/ingest/common @@ -10,7 +10,7 @@ }, { "geoip": { - "field": "destination_ip", + "field": "destination.ip", "target_field": "destination_geo", "database_file": "GeoLite2-City.mmdb", "ignore_missing": true, @@ -19,7 +19,7 @@ }, { "geoip": { - "field": "source_ip", + "field": "source.ip", "target_field": "source_geo", "database_file": "GeoLite2-City.mmdb", "ignore_missing": true,