/
default.yml
161 lines (161 loc) · 4.47 KB
/
default.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
---
description: Pipeline for parsing Carbon Black Cloud Asset Vulnerability Summary.
processors:
- rename:
field: message
target_field: event.original
ignore_missing: true
- set:
field: ecs.version
value: '8.8.0'
- set:
field: event.kind
value: state
- json:
field: event.original
target_field: json
- rename:
field: json.host_name
target_field: host.hostname
ignore_missing: true
- append:
field: related.hosts
value: '{{{host.hostname}}}'
if: ctx.host?.hostname != null
allow_duplicates: false
ignore_failure: true
- convert:
field: json.device_id
target_field: host.id
type: string
ignore_missing: true
ignore_failure: true
- rename:
field: json.name
target_field: host.name
ignore_missing: true
- rename:
field: json.os_info.os_name
target_field: host.os.name
ignore_missing: true
- set:
field: host.os.type
value: windows
if: ctx.json?.os_info.os_type == 'WINDOWS'
- set:
field: host.os.type
value: ubuntu
if: ctx.json?.os_info.os_type == 'UBUNTU'
- set:
field: host.os.type
value: centos
if: ctx.json?.os_info.os_type == 'CENTOS'
- rename:
field: json.os_info.os_version
target_field: host.os.version
ignore_missing: true
- convert:
field: json.highest_risk_score
target_field: vulnerability.score.base
type: double
ignore_missing: true
on_failure:
- remove:
field: json.highest_risk_score
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- rename:
field: json.severity
target_field: vulnerability.severity
ignore_missing: true
- date:
field: json.last_sync_ts
if: ctx.json?.last_sync_ts != null && ctx.json.last_sync_ts != ''
formats:
- ISO8601
target_field: carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp
on_failure:
- remove:
field: json.last_sync_ts
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- rename:
field: json.sync_status
target_field: carbon_black_cloud.asset_vulnerability_summary.sync.status
ignore_missing: true
- rename:
field: json.sync_type
target_field: carbon_black_cloud.asset_vulnerability_summary.sync.type
ignore_missing: true
- rename:
field: json.type
target_field: carbon_black_cloud.asset_vulnerability_summary.type
ignore_missing: true
- rename:
field: json.vm_id
target_field: carbon_black_cloud.asset_vulnerability_summary.vm.id
ignore_missing: true
- rename:
field: json.vm_name
target_field: carbon_black_cloud.asset_vulnerability_summary.vm.name
ignore_missing: true
- convert:
field: json.vuln_count
target_field: carbon_black_cloud.asset_vulnerability_summary.vuln_count
type: integer
ignore_missing: true
on_failure:
- remove:
field: json.vuln_count
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- remove:
field:
- json.last_sync_ts
- json.vuln_count
- json.os_info.os_type
- json.device_id
- json.highest_risk_score
ignore_missing: true
- script:
description: Adds all the remaining fields in fields under carbon_black_cloud.asset_vulnerability_summary.
lang: painless
if: ctx.json != null
source: |
for (Map.Entry m : ctx.json.entrySet()) {
ctx.carbon_black_cloud.asset_vulnerability_summary[m.getKey()] = m.getValue();
}
- remove:
field: json
ignore_missing: true
- script:
description: Drops null/empty values recursively.
lang: painless
source: |
boolean dropEmptyFields(Object object) {
if (object == null || object == '') {
return true;
} else if (object instanceof Map) {
((Map) object).values().removeIf(value -> dropEmptyFields(value));
return (((Map) object).size() == 0);
} else if (object instanceof List) {
((List) object).removeIf(value -> dropEmptyFields(value));
return (((List) object).length == 0);
}
return false;
}
dropEmptyFields(ctx);
- remove:
field: event.original
if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))
ignore_missing: true
on_failure:
- set:
field: event.kind
value: pipeline_error
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'