securityonion/salt/elasticsearch/files/ingest/suricata.dns

{
    "description": "suricata.dns",
    "processors": [
        {
            "rename": {
                "field": "message2.proto",
                "target_field": "network.transport",
                "ignore_missing": true
            }
        },
        {
            "rename": {
                "field": "message2.app_proto",
                "target_field": "network.protocol",
                "ignore_missing": true
            }
        },
        {
            "rename": {
                "field": "message2.dns.type",
                "target_field": "dns.query.type",
                "ignore_missing": true
            }
        },
        {
            "rename": {
                "field": "message2.dns.tx_id",
                "target_field": "dns.tx_id",
                "ignore_missing": true
            }
        },
        {
            "rename": {
                "field": "message2.dns.id",
                "target_field": "dns.id",
                "ignore_missing": true
            }
        },
        {
            "rename": {
                "field": "message2.dns.version",
                "target_field": "dns.version",
                "ignore_missing": true
            }
        },
        {
            "pipeline": {
                "name": "suricata.dnsv3",
                "ignore_missing_pipeline": true,
                "if": "ctx?.dns?.version != null && ctx?.dns?.version == 3",
                "ignore_failure": true
            }
        },
        {
            "rename": {
                "field": "message2.dns.rrname",
                "target_field": "dns.query.name",
                "ignore_missing": true
            }
        },
        {
            "rename": {
                "field": "message2.dns.rrtype",
                "target_field": "dns.query.type_name",
                "ignore_missing": true
            }
        },
        {
            "rename": {
                "field": "message2.dns.flags",
                "target_field": "dns.flags",
                "ignore_missing": true
            }
        },
        {
            "rename": {
                "field": "message2.dns.qr",
                "target_field": "dns.qr",
                "ignore_missing": true
            }
        },
        {
            "rename": {
                "field": "message2.dns.rd",
                "target_field": "dns.recursion.desired",
                "ignore_missing": true
            }
        },
        {
            "rename": {
                "field": "message2.dns.ra",
                "target_field": "dns.recursion.available",
                "ignore_missing": true
            }
        },
        {
            "rename": {
                "field": "message2.dns.opcode",
                "target_field": "dns.opcode",
                "ignore_missing": true
            }
        },
        {
            "rename": {
                "field": "message2.dns.rcode",
                "target_field": "dns.response.code_name",
                "ignore_missing": true
            }
        },
        {
            "rename": {
                "field": "message2.dns.grouped.A",
                "target_field": "dns.answers.data",
                "ignore_missing": true
            }
        },
        {
            "rename": {
                "field": "message2.dns.grouped.CNAME",
                "target_field": "dns.answers.name",
                "ignore_missing": true
            }
        },
        {
            "pipeline": {
                "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')",
                "name": "dns.tld"
            }
        },
        {
            "pipeline": {
                "name": "common"
            }
        }
    ]
}