CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

zeek.analyzer format json

Browse Source
This commit is contained in:
reyesj2
2025-11-14 14:14:54 -06:00
parent 68b0cd7549
commit fcfd74ec1e
1 changed files with 107 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
salt/elasticsearch/files/ingest/zeek.analyzer
View File

@@ -1,20 +1,108 @@
{
"description" : "zeek.dpd",
"processors" : [
{ "set": { "field": "event.dataset", "value": "dpd" } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.analyzer", "target_field": "observer.analyzer", "ignore_missing": true } },
{ "rename": { "field": "message2.failure_reason", "target_field": "error.reason", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
"description": "zeek.dpd",
"processors": [
{
"set": {
"field": "event.dataset",
"value": "dpd"
}
},
{
"remove": {
"field": [
"host"
],
"ignore_failure": true
}
},
{
"json": {
"field": "message",
"target_field": "message2",
"ignore_failure": true
}
},
{
"dot_expander": {
"field": "id.orig_h",
"path": "message2",
"ignore_failure": true
}
},
{
"rename": {
"field": "message2.id.orig_h",
"target_field": "source.ip",
"ignore_missing": true
}
},
{
"dot_expander": {
"field": "id.orig_p",
"path": "message2",
"ignore_failure": true
}
},
{
"rename": {
"field": "message2.id.orig_p",
"target_field": "source.port",
"ignore_missing": true
}
},
{
"dot_expander": {
"field": "id.resp_h",
"path": "message2",
"ignore_failure": true
}
},
{
"rename": {
"field": "message2.id.resp_h",
"target_field": "destination.ip",
"ignore_missing": true
}
},
{
"dot_expander": {
"field": "id.resp_p",
"path": "message2",
"ignore_failure": true
}
},
{
"rename": {
"field": "message2.id.resp_p",
"target_field": "destination.port",
"ignore_missing": true
}
},
{
"rename": {
"field": "message2.proto",
"target_field": "network.protocol",
"ignore_missing": true
}
},
{
"rename": {
"field": "message2.analyzer",
"target_field": "observer.analyzer",
"ignore_missing": true
}
},
{
"rename": {
"field": "message2.failure_reason",
"target_field": "error.reason",
"ignore_missing": true
}
},
{
"pipeline": {
"name": "zeek.common"
}
}
]
}