{
  "description" : "Strelka logs",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "file" } },
    { "json":           { "field": "message",                        "target_field": "message2",                   "ignore_failure": true  } },
    { "rename":         { "field": "message2.file",        "target_field": "file",          "ignore_missing": true  } },
    { "rename":         { "field": "message2.scan",        "target_field": "scan",          "ignore_missing": true  } },
    { "rename":         { "field": "message2.request",        "target_field": "request",          "ignore_missing": true  } },
    { "rename":         { "field": "scan.hash",        "target_field": "hash",          "ignore_missing": true  } },
    { "rename":         { "field": "scan.exiftool",        "target_field": "exiftool",          "ignore_missing": true  } },
    { "grok":           { "if": "ctx.request?.attributes?.filename != null",   "field": "request.attributes.filename",       "patterns": ["-%{WORD:log.id.fuid}-"], "ignore_failure": true } },
    { "gsub":           { "if": "ctx.request?.attributes?.filename != null",   "field": "request.attributes.filename",       "pattern": "\/nsm\/strelka\/staging",      "replacement": "\/nsm\/strelka\/processed" } },
    { "foreach":
      {
        "if": "ctx.exiftool?.keys !=null",
          "field": "exiftool.keys",
          "processor": {
            "append": {
              "field": "scan.exiftool",
              "value": "{{_ingest._value.key}}={{_ingest._value.value}}"
            }
          }
      }
    },
    { "foreach":
      {
        "if": "ctx.exiftool?.keys !=null",
          "field": "exiftool.keys",
          "processor": {
            "set": {
              "field": "exiftool.{{_ingest._value.key}}",
              "value": "{{_ingest._value.value}}"
            }
          }
      }
    },
    { "foreach":
      {
        "if": "ctx.scan?.yara?.meta !=null",
          "field": "scan.yara.meta",
          "processor":{
            "set": {
              "field": "rule.{{_ingest._value.identifier}}",
              "value": "{{_ingest._value.value}}"
            }
          }
      }
    },
    { "set":         { "if": "ctx.exiftool?.SourceFile != null", "field": "file.source",        "value": "{{exiftool.SourceFile}}", "ignore_failure": true }},
    { "set":         { "if": "ctx.exiftool?.FilePermissions != null", "field": "file.permissions",        "value": "{{exiftool.FilePermissions}}", "ignore_failure": true }},
    { "set":         { "if": "ctx.exiftool?.FileName != null", "field": "file.name",        "value": "{{exiftool.FileName}}", "ignore_failure": true }},
    { "set":         { "if": "ctx.exiftool?.FileModifyDate != null", "field": "file.mtime",        "value": "{{exiftool.FileModifyDate}}", "ignore_failure": true }},
    { "set":         { "if": "ctx.exiftool?.FileAccessDate != null", "field": "file.accessed",        "value": "{{exiftool.FileAccessDate}}", "ignore_failure": true }},
    { "set":         { "if": "ctx.exiftool?.FileInodeChangeDate != null", "field": "file.ctime",        "value": "{{exiftool.FileInodeChangeDate}}", "ignore_failure": true }},
    { "set":         { "if": "ctx.exiftool?.FileDirectory != null", "field": "file.directory",        "value": "{{exiftool.FileDirectory}}", "ignore_failure": true }},
    { "set":         { "if": "ctx.exiftool?.Subsystem != null", "field": "host.subsystem",        "value": "{{exiftool.Subsystem}}", "ignore_failure": true }},
    { "set":         { "if": "ctx.scan?.yara?.matches instanceof List", "field": "rule.name",        "value": "{{scan.yara.matches.0}}" }},
    { "set":         { "if": "ctx.rule?.name != null", "field": "event.dataset",        "value": "alert", "override": true }},
    { "set":         { "if": "ctx.rule?.name != null", "field": "rule.uuid",        "value": "{{rule.name}}", "override": true }},
    { "rename":         { "field": "file.flavors.mime", "target_field": "file.mime_type",        "ignore_missing": true }},
    { "set":         { "if": "ctx.rule?.name != null && ctx.rule?.score == null",   "field": "event.severity", "value": 3, "override": true }  },
    { "convert" :    { "if": "ctx.rule?.score != null", "field" : "rule.score","type": "integer"}},
    { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 0 && ctx.rule?.score <= 49",   "field": "event.severity", "value": 1, "override": true }  },
    { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 50 && ctx.rule?.score <=69",   "field": "event.severity", "value": 2, "override": true }  },
    { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89",   "field": "event.severity", "value": 3, "override": true }  },
    { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90",   "field": "event.severity", "value": 4, "override": true }  },
    { "set":         { "if": "ctx.scan?.entropy?.entropy == '0'",   "field": "scan.entropy.entropy", "value": "0.0", "override": true }  },
    { "set":         { "if": "ctx.scan?.pe?.image_version == '0'",   "field": "scan.pe.image_version", "value": "0.0", "override": true }  },
    { "set":         { "field": "observer.name",        "value": "{{agent.name}}" }},
    { "convert" :    { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
    { "convert" :    { "field" : "scan.pe.flags","type": "string", "ignore_missing":true }},
    { "remove":      { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"],                                         "ignore_missing": true  } },
    { "pipeline":    { "name": "common"                                                                                   } }
  ]
}