mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
79 lines
2.1 KiB
Plaintext
79 lines
2.1 KiB
Plaintext
{
|
|
"description": "suricata.alert",
|
|
"processors": [
|
|
{
|
|
"set": {
|
|
"if": "ctx.event?.imported != true",
|
|
"field": "_index",
|
|
"value": "logs-suricata.alerts-so"
|
|
}
|
|
},
|
|
{
|
|
"set": {
|
|
"field": "tags",
|
|
"value": "alert"
|
|
}
|
|
},
|
|
{
|
|
"rename": {
|
|
"field": "message2.alert",
|
|
"target_field": "rule",
|
|
"ignore_missing": true,
|
|
"ignore_failure": true
|
|
}
|
|
},
|
|
{
|
|
"rename": {
|
|
"field": "rule.signature",
|
|
"target_field": "rule.name",
|
|
"ignore_missing": true,
|
|
"ignore_failure": true
|
|
}
|
|
},
|
|
{
|
|
"rename": {
|
|
"field": "rule.ref",
|
|
"target_field": "rule.version",
|
|
"ignore_missing": true,
|
|
"ignore_failure": true
|
|
}
|
|
},
|
|
{
|
|
"rename": {
|
|
"field": "rule.signature_id",
|
|
"target_field": "rule.uuid",
|
|
"ignore_missing": true,
|
|
"ignore_failure": true
|
|
}
|
|
},
|
|
{
|
|
"rename": {
|
|
"field": "rule.signature_id",
|
|
"target_field": "rule.signature",
|
|
"ignore_missing": true,
|
|
"ignore_failure": true
|
|
}
|
|
},
|
|
{
|
|
"rename": {
|
|
"field": "message2.payload_printable",
|
|
"target_field": "network.data.decoded",
|
|
"ignore_missing": true,
|
|
"ignore_failure": true
|
|
}
|
|
},
|
|
{
|
|
"dissect": {
|
|
"field": "rule.rule",
|
|
"pattern": "%{?prefix}content:\"%{dns.query_name}\"%{?remainder}",
|
|
"ignore_missing": true,
|
|
"ignore_failure": true
|
|
}
|
|
},
|
|
{
|
|
"pipeline": {
|
|
"name": "common.nids"
|
|
}
|
|
}
|
|
]
|
|
} |