/
fp-pipeline.yml
31 lines (31 loc) · 982 Bytes
/
fp-pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
---
description: Pipeline for Forcepoint CEF
processors:
# cs1 is ruleID
- set:
field: rule.id
ignore_empty_value: true
value: '{{cef.extensions.deviceCustomString1}}'
# cs2 is natRuleID
- set:
field: rule.id
ignore_empty_value: true
value: '{{cef.extensions.deviceCustomString2}}'
# cs3 is VulnerabilityReference
- set:
field: vulnerability.reference
ignore_empty_value: true
value: '{{cef.extensions.deviceCustomString3}}'
# cs4 is virusID
- set:
field: cef.forcepoint.virus_id
ignore_empty_value: true
value: '{{cef.extensions.deviceCustomString4}}'
on_failure:
- append:
field: error.message
value: |-
Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}"
- set:
field: event.kind
value: pipeline_error