CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
4b99f55e0ac1135c91310419c5c263edb1766cf1
securityonion/salt/elasticsearch/files/ingest/common
Josh Brower a8b980b6a7 More Playbook Fixes - Issue #1064
2020-08-07 13:35:43 -04:00

62 lines
3.1 KiB
Plaintext
Raw Blame History

{
"description" : "common",
"processors" : [
{
"geoip": {
"field": "destination.ip",
"target_field": "destination.geo",
"database_file": "GeoLite2-City.mmdb",
"ignore_missing": true,
"ignore_failure": true,
"properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"]
}
},
{
"geoip": {
"field": "source.ip",
"target_field": "source.geo",
"database_file": "GeoLite2-City.mmdb",
"ignore_missing": true,
"ignore_failure": true,
"properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"]
}
},
{
"split": {
"field": "_index",
"target_field": "index_name_prefix",
"separator": "-"
}
},
{
"date_index_name": {
"field": "@timestamp",
"index_name_prefix": "{{index_name_prefix.0}}-{{index_name_prefix.1}}-",
"date_rounding": "d",
"ignore_failure": true,
"index_name_format": "yyyy.MM.dd"
}
},
{ "set": { "if": "ctx.event?.severity == 1", "field": "event.severity_label", "value": "low", "override": true } },
{ "set": { "if": "ctx.event?.severity == 2", "field": "event.severity_label", "value": "medium", "override": true } },
{ "set": { "if": "ctx.event?.severity == 3", "field": "event.severity_label", "value": "high", "override": true } },
{ "set": { "if": "ctx.event?.severity == 4", "field": "event.severity_label", "value": "critical", "override": true } },
{ "rename": { "field": "module", "target_field": "event.module", "ignore_failure": true, "ignore_missing": true } },
{ "rename": { "field": "dataset", "target_field": "event.dataset", "ignore_failure": true, "ignore_missing": true } },
{ "rename": { "field": "category", "target_field": "event.category", "ignore_failure": true, "ignore_missing": true } },
{ "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_failure": true, "ignore_missing": true } },
{ "lowercase": { "field": "event.dataset", "ignore_failure": true, "ignore_missing": true } },
{ "convert": { "field": "destination.port", "type": "integer", "ignore_failure": true, "ignore_missing": true } },
{ "convert": { "field": "source.port", "type": "integer", "ignore_failure": true, "ignore_missing": true } },
{ "convert": { "field": "log.id.uid", "type": "string", "ignore_failure": true, "ignore_missing": true } },
{ "convert": { "field": "agent.id", "type": "string", "ignore_failure": true, "ignore_missing": true } },
{ "convert": { "field": "event.severity", "type": "integer", "ignore_failure": true, "ignore_missing": true } },
{
"remove": {
"field": [ "index_name_prefix", "message2", "type" ],
"ignore_failure": true
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink