{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}

filter {
  if "fe_clone" in [type] {
    grok {
      match => [
        "source_ip", "^%{IPV4:srcipv4}$",
        "source_ip",  "(?<srcipv6>^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})$)"
        ]
    }
    grok {
      match => [
        "destination_ip",  "(?<dstipv6>^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})$)",
        "destination_ip", "^%{IPV4:dstipv4}$"
       ]
    }
    geoip {
      source => "[source_ip]"
      target => "source_geo"
    }
    geoip {
      source => "[destination_ip]"
      target => "destination_geo"

    }
    mutate {
      #rename => { "%{[source_geo][country_code]}" => "srccountrycode" }
      #rename => { "%{[destination_geo][country_code]}" => "dstcountrycode" }
      rename => { "syslog-host_from" => "sensor" }
      rename => { "message" => "rawmsg" }
      rename => { "event_type" => "program" }
      copy => { "program" => "class" }
      rename => { "source_port" => "srcport" }
      rename => { "destination_port" => "dstport" }

      remove_field => ["source_ip", "destination_ip"]
      remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"]
      remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"]
      }
    }
  if "bro_conn" in [program] {
    mutate {
      #add_field => { "metaclass" => "connection" }
      rename => { "original_bytes" => "sentbytes" }
      rename => { "respond_bytes" => "rcvdbytes" }
      rename => { "connection_state" => "connstate" }
      rename => { "uid" => "connectionid" }
      rename => { "respond_packets" => "rcvdpackets" }
      rename => { "original_packets" => "sentpackets" }
      rename => { "respond_ip_bytes" => "rcvdipbytes" }
      rename => { "original_ip_bytes" => "sentipbytes" }
      rename => { "local_respond" => "local_resp" }
      rename => { "local_orig" => "localorig" }
      rename => { "missed_bytes" => "missingbytes" }
    }
  }
  if "bro_dns" in [program] {
    mutate{
      #add_field = { "metaclass" => "dns"}
      rename => { "query" => "domain" }
      rename => { "query_class" => "queryclass" }
      rename => { "query_class_name" => "queryclassname" }
      rename => { "query_type" => "querytype" }
      rename => { "query_type_name" => "querytypename" }
      rename => { "ra" => "recursionavailable" }
      rename => { "rd" => "recursiondesired" }

    }
  }
  if "bro_dhcp" in [program] {
    mutate{
      #add_field = { "metaclass" => "dhcp"}
      rename => { "ips" => "ip" }
    }
  }
  if "bro_files" in [program] {
    mutate{
      #add_field = { "metaclass" => "dns"}
      rename => { "missing_bytes" => "missingbytes" }
      rename => { "fuid" => "fileid" }
      rename => { "uid" => "connectionid" }
    }
  }
  if "bro_http" in [program] {
    mutate{
      #add_field = { "metaclass" => "dns"}
      rename => { "status_code" => "statuscode" }
      rename => { "status_message" => "statusmsg" }
      rename => { "resp_mime_types" => "rcvdmimetype" }
      rename => { "resp_fuids" => "rcvdfileid" }
      rename => { "response_body_len" => "rcvdbodybytes" }
      rename => { "request_body_len" => "sentbodybytes" }

    }
  }
}
output {
  if "fe_clone" in [type] {
    http {
      url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload?source=test&format=json"
      http_method => post
      http_compression => true
      headers => ["Authorization", "{{ HELIX_API_KEY }}"]
      format => json_batch
    }
  }
}