diff --git a/ecs-configuration/logstash/pipelines/suricata/logstash-601-filter-suricata-fileinfo.conf b/ecs-configuration/logstash/pipelines/suricata/logstash-601-filter-suricata-fileinfo.conf index 348c886..ba212b8 100644 --- a/ecs-configuration/logstash/pipelines/suricata/logstash-601-filter-suricata-fileinfo.conf +++ b/ecs-configuration/logstash/pipelines/suricata/logstash-601-filter-suricata-fileinfo.conf @@ -1,6 +1,5 @@ filter { - if [@metadata][stage] == "suricata_json" { - if [fileinfo] { + if [fileinfo] { mutate { rename => { "[fileinfo][md5]" => "[file][hash][md5]" @@ -9,8 +8,10 @@ filter { "[fileinfo][sha512]" => "[file][hash][sha512]" "[fileinfo][filename]" => "[file][name]" "[fileinfo][size]" => "[file][size]" - } + "[fileinfo][magic]" => "[file][mime_type]" + } + merge => { "[related][id]" => "[fileinfo][tx_id]" } } } } diff --git a/ecs-configuration/logstash/pipelines/suricata/logstash-601-filter-suricata-smb.conf b/ecs-configuration/logstash/pipelines/suricata/logstash-601-filter-suricata-smb.conf index 3297a99..ff9fb21 100644 --- a/ecs-configuration/logstash/pipelines/suricata/logstash-601-filter-suricata-smb.conf +++ b/ecs-configuration/logstash/pipelines/suricata/logstash-601-filter-suricata-smb.conf @@ -1,18 +1,20 @@ ## SMB_Files ############################################################# filter { -if [@metadata][stage] == "suricata_json" { if [smb] { mutate { rename => { "[smb][accessed]" => "[file][accessed]" "[smb][created]" => "[file][created]" - "[smb][modified]" => "[file][modified]" + "[smb][modified]" => "[file][mtime]" "[smb][filename]" => "[file][name]" - } - merge => { "[related][id]" => "[log][id][fuid]" } - } + "[smb][share]" => "[file][path]" + "[smb][share_type]" => "[file][type]" + "[smb][changed]" => "[file][ctime]" + } + merge => { "[related][id]" => "[log][id][fuid]" } } + } }