CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ded520c2c1f23eb5b1035641775bfcd635f253cc
securityonion/salt/elasticsearch/files/ingest/zeek.pe

26 lines
2.3 KiB
Plaintext
Raw Blame History

{
"description" : "zeek.pe",
"processors" : [
{ "set": { "field": "event.dataset", "value": "pe" } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id", "target_field": "log.id.fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.machine", "target_field": "file.machine", "ignore_missing": true } },
{ "rename": { "field": "message2.compile_ts", "target_field": "file.compile_timestamp", "ignore_missing": true } },
{ "rename": { "field": "message2.os", "target_field": "file.os", "ignore_missing": true } },
{ "rename": { "field": "message2.subsystem", "target_field": "file.subsystem", "ignore_missing": true } },
{ "rename": { "field": "message2.is_exe", "target_field": "file.is_exe", "ignore_missing": true } },
{ "rename": { "field": "message2.is_64bit", "target_field": "file.is_64bit", "ignore_missing": true } },
{ "rename": { "field": "message2.uses_aslr", "target_field": "file.aslr", "ignore_missing": true } },
{ "rename": { "field": "message2.uses_dep", "target_field": "file.dep", "ignore_missing": true } },
{ "rename": { "field": "message2.uses_code_integrity","target_field": "file.code_integrity","ignore_missing": true } },
{ "rename": { "field": "message2.uses_seh", "target_field": "file.seh", "ignore_missing": true } },
{ "rename": { "field": "message2.has_import_table", "target_field": "file.table.import", "ignore_missing": true } },
{ "rename": { "field": "message2.has_export_table", "target_field": "file.table.export", "ignore_missing": true } },
{ "rename": { "field": "message2.has_cert_table", "target_field": "file.table.cert", "ignore_missing": true } },
{ "rename": { "field": "message2.has_debug_data", "target_field": "file.debug_data", "ignore_missing": true } },
{ "rename": { "field": "message2.section_names", "target_field": "file.section_names", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}
Reference in New Issue View Git Blame Copy Permalink