From ef808875f481e3254ebbbc4dcf79a0f7eff060b3 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 24 Mar 2020 15:42:31 +0000 Subject: [PATCH] fix ossec fields --- salt/elasticsearch/files/ingest/ossec.alert | 91 +++++++++++---------- 1 file changed, 46 insertions(+), 45 deletions(-) diff --git a/salt/elasticsearch/files/ingest/ossec.alert b/salt/elasticsearch/files/ingest/ossec.alert index 23d374fdc..cf35aa44c 100644 --- a/salt/elasticsearch/files/ingest/ossec.alert +++ b/salt/elasticsearch/files/ingest/ossec.alert @@ -1,54 +1,55 @@ { "description" : "ossec", "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "remove": { "field": [ "agent" ], "ignore_missing": true, "ignore_failure": false } }, - { "rename": { "field": "message2.agent", "target_field": "agent", "ignore_missing": true } }, - { "rename": { "field": "message2.data", "target_field": "data", "ignore_missing": true } }, - { "rename": { "field": "message2.decoder", "target_field": "decoder", "ignore_missing": true } }, - { "rename": { "field": "message2.full_log", "target_field": "log.full", "ignore_missing": true } }, - { "rename": { "field": "message2.id", "target_field": "log.id.id", "ignore_missing": true } }, - { "rename": { "field": "message2.location", "target_field": "location", "ignore_missing": true } }, - { "rename": { "field": "message2.manager", "target_field": "manager", "ignore_missing": true } }, - { "rename": { "field": "message2.predecoder", "target_field": "predecoder", "ignore_missing": true } }, - { "rename": { "field": "message2.timestamp", "target_field": "timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.agent", "target_field": "agent", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "data", "ignore_missing": true } }, + { "rename": { "field": "message2.decoder", "target_field": "decoder", "ignore_missing": true } }, + { "rename": { "field": "message2.full_log", "target_field": "log.full", "ignore_missing": true } }, + { "rename": { "field": "message2.id", "target_field": "log.id.id", "ignore_missing": true } }, + { "rename": { "field": "message2.location", "target_field": "log.location", "ignore_missing": true } }, + { "rename": { "field": "message2.manager", "target_field": "manager", "ignore_missing": true } }, + { "rename": { "field": "message2.predecoder", "target_field": "predecoder", "ignore_missing": true } }, + { "rename": { "field": "message2.timestamp", "target_field": "event.timestamp", "ignore_missing": true } }, { "rename": { "field": "message2.previous_log", "target_field": "log.previous_log", "ignore_missing": true } }, { "rename": { "field": "message2.previous_output", "target_field": "log.previous_output", "ignore_missing": true } }, - { "rename": { "field": "message2.rule", "target_field": "rule", "ignore_missing": true } }, - { "rename": { "field": "data.command", "target_field": "command", "ignore_missing": true } }, - { "rename": { "field": "data.dstip", "target_field": "destination.ip", "ignore_missing": true } }, - { "rename": { "field": "data.dstport", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "data.dstuser", "target_field": "user.escalated", "ignore_missing": true } }, - { "rename": { "field": "data.srcip", "target_field": "source.ip", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.destinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.destinationIp", "target_field": "destination.ip", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.destinationPort", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.image", "target_field": "image_path", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.parentImage", "target_field": "parent_image_path", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.sourceHostname", "target_field": "source.hostname", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.sourceIp", "target_field": "source_ip", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.sourcePort", "target_field": "source.port", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.targetFilename", "target_field": "file.target", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.user", "target_field": "user.name", "ignore_missing": true } }, - { "rename": { "field": "data.win.system.eventID", "target_field": "event.code", "ignore_missing": true } }, - { "rename": { "field": "predecoder.program_name", "target_field": "process.name", "ignore_missing": true } }, - { "set": { "if": "ctx.rule.level == 1", "field": "rule.category", "value": "None" } }, - { "set": { "if": "ctx.rule.level == 2", "field": "rule.category", "value": "System low priority notification" } }, - { "set": { "if": "ctx.rule.level == 3", "field": "rule.category", "value": "Successful/authorized event" } }, - { "set": { "if": "ctx.rule.level == 4", "field": "rule.category", "value": "System low priority error" } }, - { "set": { "if": "ctx.rule.level == 5", "field": "rule.category", "value": "User generated error" } }, - { "set": { "if": "ctx.rule.level == 6", "field": "rule.category", "value": "Low relevance attack" } }, - { "set": { "if": "ctx.rule.level == 7", "field": "rule.category", "value": "\"Bad word\" matching" } }, - { "set": { "if": "ctx.rule.level == 8", "field": "rule.category", "value": "First time seen" } }, - { "set": { "if": "ctx.rule.level == 9", "field": "rule.category", "value": "Error from invalid source" } }, - { "set": { "if": "ctx.rule.level == 10", "field": "rule.category", "value": "Multiple user generated errors" } }, - { "set": { "if": "ctx.rule.level == 11", "field": "rule.category", "value": "Integrity checking warning" } }, - { "set": { "if": "ctx.rule.level == 12", "field": "rule.category", "value": "High importance event" } }, - { "set": { "if": "ctx.rule.level == 13", "field": "rule.category", "value": "Unusal error (high importance)" } }, - { "set": { "if": "ctx.rule.level == 14", "field": "rule.category", "value": "High importance security event" } }, - { "set": { "if": "ctx.rule.level == 15", "field": "rule.category", "value": "Severe attack" } }, - { "append": { "if": "ctx.rule.level != null", "field": "tags", "value": ["alert"] } }, + { "rename": { "field": "message2.rule", "target_field": "rule", "ignore_missing": true } }, + { "rename": { "field": "message2.syscheck", "target_field": "host.syscheck", "ignore_missing": true } }, + { "rename": { "field": "data.command", "target_field": "process.command_line", "ignore_missing": true } }, + { "rename": { "field": "data.dstip", "target_field": "destination.ip", "ignore_missing": true } }, + { "rename": { "field": "data.dstport", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "data.dstuser", "target_field": "user.escalated", "ignore_missing": true } }, + { "rename": { "field": "data.srcip", "target_field": "source.ip", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.destinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.destinationIp", "target_field": "destination.ip", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.destinationPort", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.image", "target_field": "image_path", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.parentImage", "target_field": "parent_image_path", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.sourceHostname", "target_field": "source.hostname", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.sourceIp", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.sourcePort", "target_field": "source.port", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.targetFilename", "target_field": "file.target", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.user", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "data.win.system.eventID", "target_field": "event.code", "ignore_missing": true } }, + { "rename": { "field": "predecoder.program_name", "target_field": "process.name", "ignore_missing": true } }, + { "set": { "if": "ctx.rule.level == 1", "field": "rule.category", "value": "None" } }, + { "set": { "if": "ctx.rule.level == 2", "field": "rule.category", "value": "System low priority notification" } }, + { "set": { "if": "ctx.rule.level == 3", "field": "rule.category", "value": "Successful/authorized event" } }, + { "set": { "if": "ctx.rule.level == 4", "field": "rule.category", "value": "System low priority error" } }, + { "set": { "if": "ctx.rule.level == 5", "field": "rule.category", "value": "User generated error" } }, + { "set": { "if": "ctx.rule.level == 6", "field": "rule.category", "value": "Low relevance attack" } }, + { "set": { "if": "ctx.rule.level == 7", "field": "rule.category", "value": "\"Bad word\" matching" } }, + { "set": { "if": "ctx.rule.level == 8", "field": "rule.category", "value": "First time seen" } }, + { "set": { "if": "ctx.rule.level == 9", "field": "rule.category", "value": "Error from invalid source" } }, + { "set": { "if": "ctx.rule.level == 10", "field": "rule.category", "value": "Multiple user generated errors" } }, + { "set": { "if": "ctx.rule.level == 11", "field": "rule.category", "value": "Integrity checking warning" } }, + { "set": { "if": "ctx.rule.level == 12", "field": "rule.category", "value": "High importance event" } }, + { "set": { "if": "ctx.rule.level == 13", "field": "rule.category", "value": "Unusal error (high importance)" } }, + { "set": { "if": "ctx.rule.level == 14", "field": "rule.category", "value": "High importance security event" } }, + { "set": { "if": "ctx.rule.level == 15", "field": "rule.category", "value": "Severe attack" } }, + { "append": { "if": "ctx.rule.level != null", "field": "tags", "value": ["alert"] } }, { "remove": { "field": [ "predecoder", "decoder" ], "ignore_missing": true, "ignore_failure": false } }, - { "pipeline": { "name": "common" } } + { "pipeline": { "name": "common" } } ] }