mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-06-12 13:19:22 +02:00
reyesj2
71 lines
2.1 KiB
Plaintext
71 lines
2.1 KiB
Plaintext
{
|
|
"description": "zeek.ja4d",
|
|
"processors": [
|
|
{
|
|
"set": {
|
|
"field": "event.dataset",
|
|
"value": "ja4d"
|
|
}
|
|
},
|
|
{
|
|
"remove": {
|
|
"field": [
|
|
"host"
|
|
],
|
|
"ignore_failure": true
|
|
}
|
|
},
|
|
{
|
|
"json": {
|
|
"field": "message",
|
|
"target_field": "message2",
|
|
"ignore_failure": true
|
|
}
|
|
},
|
|
{
|
|
"rename": {
|
|
"field": "message2.ja4d",
|
|
"target_field": "hash.ja4d",
|
|
"ignore_missing": true,
|
|
"if": "ctx?.message2?.ja4d != null && ctx.message2.ja4d.length() > 0"
|
|
}
|
|
},
|
|
{
|
|
"rename": {
|
|
"field": "message2.client_mac",
|
|
"target_field": "host.mac",
|
|
"ignore_missing": true,
|
|
"if": "ctx?.message2?.client_mac != null && ctx.message2.client_mac.length() > 0"
|
|
}
|
|
},
|
|
{
|
|
"rename": {
|
|
"field": "message2.hostname",
|
|
"target_field": "host.hostname",
|
|
"ignore_missing": true,
|
|
"if": "ctx?.message2?.hostname != null && ctx.message2.hostname.length() > 0"
|
|
}
|
|
},
|
|
{
|
|
"rename": {
|
|
"field": "message2.requested_ip",
|
|
"target_field": "dhcp.requested_address",
|
|
"ignore_missing": true,
|
|
"if": "ctx?.message2?.requested_ip != null && ctx.message2.requested_ip.length() > 0"
|
|
}
|
|
},
|
|
{
|
|
"rename": {
|
|
"field": "message2.vendor_class_id",
|
|
"target_field": "zeek.ja4d.vendor_class_id",
|
|
"ignore_missing": true,
|
|
"if": "ctx?.message2?.vendor_class_id != null && ctx.message2.vendor_class_id.length() > 0"
|
|
}
|
|
},
|
|
{
|
|
"pipeline": {
|
|
"name": "zeek.common"
|
|
}
|
|
}
|
|
]
|
|
} |