proc_creation per OS type

Merge pull request #15872 from Security-Onion-Solutions/3/soc-logs
cleanup status code
2026-05-09 21:02:36 +02:00 · 2026-05-08 09:11:24 -04:00 · 2026-05-07 19:01:24 +02:00 · 2026-05-07 11:27:49 -04:00
2 changed files with 24 additions and 2 deletions
@@ -63,7 +63,8 @@
    { "set":             { "if": "ctx.event?.dataset != null && !ctx.event.dataset.contains('.')", "field": "event.dataset", "value": "{{event.module}}.{{event.dataset}}" } },
    { "split":           { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } },
    { "append":          { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}"  } },
-    { "convert":         { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "type":"long", "ignore_missing": true } },
+    { "grok":            { "if": "ctx.http?.response?.status_code instanceof String", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long}(?:\\s+%{GREEDYDATA})?"], "ignore_failure": true } },
+    { "convert":         { "if": "ctx.http?.response?.status_code != null && !(ctx.http.response.status_code instanceof Number)", "field": "http.response.status_code", "type": "long", "ignore_failure": true } },
    { "set":             { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } },
    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } },
    { "pipeline": { "name": "global@custom", "ignore_missing_pipeline": true, "description": "[Fleet] Global pipeline for all data streams" } }
@@ -126,15 +126,36 @@ transformations:
          fields:
          - event.code
    # Maps process_creation rules to endpoint process creation logs
-    # This is an OS-agnostic mapping, to account for logs that don't specify source OS
    - id: endpoint_process_create_windows_add-fields
      type: add_condition
      conditions:
        event.category: 'process'
        event.type: 'start'
+        host.os.type: 'windows'
      rule_conditions:
      - type: logsource
        category: process_creation
+        product: windows
+    - id: endpoint_process_create_macos_add-fields
+      type: add_condition
+      conditions:
+        event.category: 'process'
+        event.type: 'start'
+        host.os.type: 'macos'
+      rule_conditions:
+      - type: logsource
+        category: process_creation
+        product: macos
+    - id: endpoint_process_create_linux_add-fields
+      type: add_condition
+      conditions:
+        event.category: 'process'
+        event.type: 'start'
+        host.os.type: 'linux'
+      rule_conditions:
+      - type: logsource
+        category: process_creation
+        product: linux
    # Maps file_event rules to endpoint file creation logs
    # This is an OS-agnostic mapping, to account for logs that don't specify source OS
    - id: endpoint_file_create_add-fields
Author	SHA1	Message	Date
Josh Brower	e1d830da76	proc_creation per OS type	2026-05-08 09:11:24 -04:00
Josh Brower	e847c46129	Merge pull request #15872 from Security-Onion-Solutions/3/soc-logs cleanup status code	2026-05-07 19:01:24 +02:00
Josh Brower	499f7102bd	cleanup status code	2026-05-07 11:27:49 -04:00