securityonion/salt/elasticsearch/files/ingest/ossec

{
  "description" : "ossec",
  "processors" : [
    { "json":		{ "field": "message",					"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.agent", 				"target_field": "agent",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.data", 				"target_field": "data",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.decoder", 				"target_field": "decoder",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.full_log", 			"target_field": "full_log",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.id", 				"target_field": "id",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.location", 			"target_field": "location",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.manager", 				"target_field": "manager",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.predecoder", 			"target_field": "predecoder",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.timestamp", 			"target_field": "timestamp",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.rule", 				"target_field": "wazuh-rule",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.command", 				"target_field": "command",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.dstip", 				"target_field": "destination_ip",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.dstport", 				"target_field": "destination_port",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.dstuser", 				"target_field": "escalated_user",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.srcip", 				"target_field": "source_ip",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.srcuser", 				"target_field": "username",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.win.eventdata.destinationHostname", 	"target_field": "destination_hostname",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.win.eventdata.destinationIp", 		"target_field": "destination_ip",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.win.eventdata.destinationPort", 	"target_field": "destination_port",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.win.eventdata.image", 			"target_field": "image_path",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.win.eventdata.parentImage", 		"target_field": "parent_image_path",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.win.eventdata.sourceHostname", 	"target_field": "source_hostname",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.win.eventdata.sourceIp", 		"target_field": "source_ip",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.win.eventdata.sourcePort", 		"target_field": "source_port",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.win.eventdata.targetFilename",		"target_field": "target_filename",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.win.eventdata.user", 			"target_field": "username",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "data.win.system.eventID", 			"target_field": "event_id",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "predecoder.program_name", 			"target_field": "process",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "wazuh-rule.level", 				"target_field": "alert_level",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "wazuh-rule.description", 			"target_field": "description",		"ignore_missing": true 	} },
    { "set": 		{ "if": "ctx.alert_level == 1", 		"field": "classification", "value": "None" 				} },
    { "set": 		{ "if": "ctx.alert_level == 2", 		"field": "classification", "value": "System low priority notification" 	} },
    { "set": 		{ "if": "ctx.alert_level == 3", 		"field": "classification", "value": "Successful/authorized event" 	} },
    { "set": 		{ "if": "ctx.alert_level == 4", 		"field": "classification", "value": "System low priority error" 	} },
    { "set": 		{ "if": "ctx.alert_level == 5", 		"field": "classification", "value": "User generated error" 		} },
    { "set": 		{ "if": "ctx.alert_level == 6", 		"field": "classification", "value": "Low relevance attack" 		} },
    { "set": 		{ "if": "ctx.alert_level == 7", 		"field": "classification", "value": "\"Bad word\" matching" 		} },
    { "set": 		{ "if": "ctx.alert_level == 8", 		"field": "classification", "value": "First time seen" 			} },
    { "set": 		{ "if": "ctx.alert_level == 9", 		"field": "classification", "value": "Error from invalid source" 	} },
    { "set": 		{ "if": "ctx.alert_level == 10", 		"field": "classification", "value": "Multiple user generated errors" 	} },
    { "set": 		{ "if": "ctx.alert_level == 11", 		"field": "classification", "value": "Integrity checking warning" 	} },
    { "set": 		{ "if": "ctx.alert_level == 12", 		"field": "classification", "value": "High importance event" 		} },
    { "set": 		{ "if": "ctx.alert_level == 13", 		"field": "classification", "value": "Unusal error (high importance)" 	} },
    { "set": 		{ "if": "ctx.alert_level == 14", 		"field": "classification", "value": "High importance security event" 	} },
    { "set": 		{ "if": "ctx.alert_level == 15", 		"field": "classification", "value": "Severe attack" 			} },
    { "append": 	{ "if": "ctx.alert_level != null",		"field": "tags", "value": ["alert"] 					} },
    { "pipeline":	{ "name": "common" } }
  ]
}