{ "description": "zeek.dns", "processors": [ { "set": { "field": "event.dataset", "value": "dns" } }, { "remove": { "field": [ "host" ], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.trans_id", "target_field": "dns.id", "ignore_missing": true } }, { "rename": { "field": "message2.rtt", "target_field": "event.duration", "ignore_missing": true } }, { "rename": { "field": "message2.query", "target_field": "dns.query.name", "ignore_missing": true } }, { "rename": { "field": "message2.qclass", "target_field": "dns.query.class", "ignore_missing": true } }, { "rename": { "field": "message2.qclass_name", "target_field": "dns.query.class_name", "ignore_missing": true } }, { "rename": { "field": "message2.qtype", "target_field": "dns.query.type", "ignore_missing": true } }, { "rename": { "field": "message2.qtype_name", "target_field": "dns.query.type_name", "ignore_missing": true } }, { "rename": { "field": "message2.rcode", "target_field": "dns.response.code", "ignore_missing": true } }, { "rename": { "field": "message2.rcode_name", "target_field": "dns.response.code_name", "ignore_missing": true } }, { "rename": { "field": "message2.AA", "target_field": "dns.authoritative", "ignore_missing": true } }, { "rename": { "field": "message2.TC", "target_field": "dns.truncated", "ignore_missing": true } }, { "rename": { "field": "message2.RD", "target_field": "dns.recursion.desired", "ignore_missing": true } }, { "rename": { "field": "message2.RA", "target_field": "dns.recursion.available", "ignore_missing": true } }, { "rename": { "field": "message2.Z", "target_field": "dns.reserved", "ignore_missing": true } }, { "rename": { "field": "message2.answers", "target_field": "dns.answers.name", "ignore_missing": true } }, { "foreach": { "field": "dns.answers.name", "processor": { "pipeline": { "name": "common.ip_validation" } }, "if": "ctx.dns != null && ctx.dns.answers != null && ctx.dns.answers.name != null", "ignore_failure": true } }, { "foreach": { "field": "temp._valid_ips", "processor": { "append": { "field": "dns.resolved_ip", "allow_duplicates": false, "value": "{{{_ingest._value}}}", "ignore_failure": true } }, "if": "ctx.dns != null && ctx.dns.answers != null && ctx.dns.answers.name != null", "ignore_failure": true } }, { "script": { "source": "if (ctx.dns.resolved_ip != null && ctx.dns.resolved_ip instanceof List) {\n ctx.dns.resolved_ip.removeIf(item -> item == null || item.toString().trim().isEmpty());\n }", "ignore_failure": true } }, { "remove": { "field": [ "temp" ], "ignore_missing": true, "ignore_failure": true } }, { "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } }, { "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } }, { "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } }, { "set": { "if": "ctx._index == 'so-zeek'", "field": "_index", "value": "so-zeek_dns", "override": true } }, { "pipeline": { "if": "ctx.dns?.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld" } }, { "pipeline": { "name": "zeek.common" } } ] }