diff --git a/filters/privafy/privafy.conf b/filters/privafy/privafy.conf deleted file mode 100644 index b539e7836..000000000 --- a/filters/privafy/privafy.conf +++ /dev/null @@ -1,1187 +0,0 @@ -filter { - -# Privafy filter version 1.1.4 -# Based on (User Doc) https://docs.progress.com/es-ES/bundle/loadmaster-technical-note-common-event-format-cef-logs-ga/page/Common-Event-Format-CEF-Logs.html (December, 2023) -# and (User Doc) https://help.deepsecurity.trendmicro.com/20_0/on-premise/event-syslog-message-formats.html (December, 2023) -# and example logs provided by user during POC -# LEEF:Version|Vendor|Product|Version|EventID|(DelimiterCharacter) disponible en 2.0| -# LEEF:1.0|Microsoft|MSExchange|4.0 SP1|15345| -# LEEF:2.0|Lancope|StealthWatch|1.0|41|x5E| -# Note: This is a filter developed to integrate with generic pipeline, so, needs entrypoint, if not set goes to generic - if [message] { - split { - field => "message" - terminator => "" - } - } - - #Looking for datasource generated by an agent and parse original message - if [message]=~/\[utm_stack_agent_ds=(.+)\]-(.+)/ { - grok { - match => { - "message" => [ "\[utm_stack_agent_ds=%{DATA:dataSource}\]-%{GREEDYDATA:original_log_message}" ] - } - } - } - if [original_log_message] { - mutate { - update => { "message" => "%{[original_log_message]}" } - } - } - -#......................................................................# -# Creating privafy message field from syslog message - if [logx][syslog][message] { - mutate { - add_field => { "prvf_message" => "%{[logx][syslog][message]}" } - } - } else { - mutate { - add_field => { "prvf_message" => "%{message}" } - } - } -#......................................................................# -# Privafy Entry point - if [prvf_message] and (("CEF:" in [prvf_message] or "LEEF:" in [prvf_message]) and [prvf_message] =~/\|(\w+)?(\s)?Privafy(\s)?(\w+)?\|/ ) { -#......................................................................# -#Generating dataSource field required by CurrelationRulesEngine -#Checks if exists, if not evaluate to the host variable - if (![dataSource]){ - mutate { - add_field => { "dataSource" => "%{host}" } - } - } -#......................................................................# -#Generating dataType field required by CurrelationRulesEngine - if (![dataType]){ - mutate { - add_field => { "dataType" => "privafy" } - } - } else { - mutate { - update => { "dataType" => "privafy" } - } - } -#......................................................................# -#If CEF or LEEF formatted log do the parsing of the prvf_message mark as undefined syslog format - if ("CEF:" in [prvf_message] or "LEEF:" in [prvf_message] ) { -#......................................................................# -#Using grok to parse header of the prvf_message - grok { - match => { - "prvf_message" => [ - "(%{INT:not_defined})?(\s)?(<%{NUMBER:priority}>)?(%{INT:syslog_version})?((\s)%{GREEDYDATA:syslog_date_host}(\s))?(?(CEF|LEEF)):(\s)?(?(%{INT}\.%{INT}|%{INT}))%{GREEDYDATA:cef_or_leef_msg_all}" - ] - } - } - } - if ("CEF:" in [prvf_message] ) { -#......................................................................# -#Using grok to parse components of the cef_or_leef_msg_all - if [cef_or_leef_msg_all] { - grok { - match => { - "cef_or_leef_msg_all" => [ - "\|%{DATA:embDeviceVendor}\|%{DATA:embDeviceProduct}\|%{DATA:embDeviceVersion}\|%{DATA:embEventClassID}\|%{DATA:embName}\|%{DATA:embSeverity}\|%{GREEDYDATA:cef_or_leef_msg}", - "\|%{DATA:embDeviceVendor}\|%{DATA:embDeviceProduct}\|%{DATA:embEventClassID}\|%{DATA:embName}\|%{DATA:embSeverity}\|%{GREEDYDATA:cef_or_leef_msg}", - "\|%{DATA:embDeviceVendor}\|%{DATA:embDeviceProduct}\|%{GREEDYDATA:cef_or_leef_msg}" - ] - } - } - } - } else if ("LEEF:" in [prvf_message] ) { -#......................................................................# -#Using grok to parse components of the leef_message - if [cef_or_leef_msg_all] { - grok { - match => { - "cef_or_leef_msg_all" => [ - "\|%{DATA:embDeviceVendor}\|%{DATA:embDeviceProduct}\|%{DATA:embDeviceVersion}\|%{DATA:embEventClassID}\|%{DATA:DelimiterCharacter}\|%{GREEDYDATA:cef_or_leef_msg}", - "\|%{DATA:embDeviceVendor}\|%{DATA:embDeviceProduct}\|%{DATA:embEventClassID}\|%{DATA:DelimiterCharacter}\|%{GREEDYDATA:cef_or_leef_msg}", - "\|%{DATA:embDeviceVendor}\|%{DATA:embDeviceProduct}\|%{GREEDYDATA:cef_or_leef_msg}" - ] - } - } - } - } -#......................................................................# -#First, replace whitespaces with default string after = to avoid kv issues, example: -#gattServices= manufacturerName=MFN, generates -> gattServices="manufacturerName=MFN" -#and should generate two fields: gattServices and manufacturerName - if [cef_or_leef_msg] { - mutate { - gsub => [ - "cef_or_leef_msg", "(\w+)= ", "\1=X0X " - ] - } -#......................................................................# -#Using the kv filter with default config, usefull in key-value logs - - kv { - source => "cef_or_leef_msg" - allow_duplicate_values => false - target => "kv_field" - } - } -#......................................................................# -#Remove fields that have issues with kv filter (spaces or = in value) - mutate { - remove_field => ["[kv_field][command_line]","[kv_field][command]","[kv_field][username]","[kv_field][userName]","[kv_field][activity]","[kv_field][description]", - "[kv_field][parent_path]","[kv_field][path]","[kv_field][filepath]","[kv_field][parent_cmd_line]","[kv_field][process_path]"] - } -#......................................................................# -#Using grok to parse kv issued fields - grok { - match => { - "cef_or_leef_msg" => [ - "command_line=%{DATA:command_line}\s(\b([a-zA-Z0-9_]+)\b)=(%{GREEDYDATA:irrelevant})?" - ] - } - } - - grok { - match => { - "cef_or_leef_msg" => [ - "command=%{DATA:command_line}\s(\b([a-zA-Z0-9_]+)\b)=(%{GREEDYDATA:irrelevant})?" - ] - } - } - - grok { - match => { - "cef_or_leef_msg" => [ - "user(n|N)ame=%{DATA:username} %{WORD}=(%{GREEDYDATA:irrelevant})?" - ] - } - } - - grok { - match => { - "cef_or_leef_msg" => [ - "activity=%{DATA:activity} %{WORD}=(%{GREEDYDATA:irrelevant})?" - ] - } - } - - grok { - match => { - "cef_or_leef_msg" => [ - "description=%{DATA:description} %{WORD}=(%{GREEDYDATA:irrelevant})?" - ] - } - } - - grok { - match => { - "cef_or_leef_msg" => [ - "parent_path=%{DATA:parent_path} %{WORD}=(%{GREEDYDATA:irrelevant})?" - ] - } - } - - grok { - match => { - "cef_or_leef_msg" => [ - "path=%{DATA:path} %{WORD}=(%{GREEDYDATA:irrelevant})?" - ] - } - } - - grok { - match => { - "cef_or_leef_msg" => [ - "filepath=%{DATA:filepath} %{WORD}=(%{GREEDYDATA:irrelevant})?" - ] - } - } - - grok { - match => { - "cef_or_leef_msg" => [ - "parent_cmd_line=%{DATA:parent_cmd_line} %{WORD}=(%{GREEDYDATA:irrelevant})?" - ] - } - } - - grok { - match => { - "cef_or_leef_msg" => [ - "process_path=%{DATA:process_path} %{WORD}=(%{GREEDYDATA:irrelevant})?" - ] - } - } - -#......................................................................# -#Check if kv didn't work, in that case, perform a field by field scan -#......................................................................# -if "_kv_filter_error" in [tags] { - - # EDR Events - if [command_line] { - if ![kv_field][accessed_process]{ - grok { match => { "cef_or_leef_msg" => [ - "accessed_process=%{DATA:[kv_field][accessed_process]} %{WORD}=(%{GREEDYDATA:irrelevant})?","accessed_process=%{GREEDYDATA:[kv_field][accessed_process]}" - ] } } - } - - if ![kv_field][account_name]{ - grok { match => { "cef_or_leef_msg" => [ - "account_name=%{DATA:[kv_field][account_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","account_name=%{GREEDYDATA:[kv_field][account_name]}" - ] } } - } - - if ![kv_field][account_id]{ - grok { match => { "cef_or_leef_msg" => [ - "account_id=%{DATA:[kv_field][account_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","account_id=%{GREEDYDATA:[kv_field][account_id]}" - ] } } - } - - if ![kv_field][agent_ip]{ - grok { match => { "cef_or_leef_msg" => [ - "agent_ip=%{DATA:[kv_field][agent_ip]} %{WORD}=(%{GREEDYDATA:irrelevant})?","agent_ip=%{GREEDYDATA:[kv_field][agent_ip]}" - ] } } - } - - if ![kv_field][auth_package]{ - grok { match => { "cef_or_leef_msg" => [ - "auth_package=%{DATA:[kv_field][auth_package]} %{WORD}=(%{GREEDYDATA:irrelevant})?","auth_package=%{GREEDYDATA:[kv_field][auth_package]}" - ] } } - } - - if ![kv_field][call_trace]{ - grok { match => { "cef_or_leef_msg" => [ - "call_trace=%{DATA:[kv_field][call_trace]} %{WORD}=(%{GREEDYDATA:irrelevant})?","call_trace=%{GREEDYDATA:[kv_field][call_trace]}" - ] } } - } - - if ![kv_field][company]{ - grok { match => { "cef_or_leef_msg" => [ - "company=%{DATA:[kv_field][company]} %{WORD}=(%{GREEDYDATA:irrelevant})?","company=%{GREEDYDATA:[kv_field][company]}" - ] } } - } - - if ![kv_field][computer]{ - grok { match => { "cef_or_leef_msg" => [ - "computer=%{DATA:[kv_field][computer]} %{WORD}=(%{GREEDYDATA:irrelevant})?","computer=%{GREEDYDATA:[kv_field][computer]}" - ] } } - } - - if ![kv_field][cpu_usage]{ - grok { match => { "cef_or_leef_msg" => [ - "cpu_usage=%{DATA:[kv_field][cpu_usage]} %{WORD}=(%{GREEDYDATA:irrelevant})?","cpu_usage=%{GREEDYDATA:[kv_field][cpu_usage]}" - ] } } - } - - if ![kv_field][current_dir]{ - grok { match => { "cef_or_leef_msg" => [ - "current_dir=%{DATA:[kv_field][current_dir]} %{WORD}=(%{GREEDYDATA:irrelevant})?","current_dir=%{GREEDYDATA:[kv_field][current_dir]}" - ] } } - } - - if ![kv_field][dest_host_name]{ - grok { match => { "cef_or_leef_msg" => [ - "dest_host_name=%{DATA:[kv_field][dest_host_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","dest_host_name=%{GREEDYDATA:[kv_field][dest_host_name]}" - ] } } - } - - if ![kv_field][dest_is_ipv6]{ - grok { match => { "cef_or_leef_msg" => [ - "dest_is_ipv6=%{DATA:[kv_field][dest_is_ipv6]} %{WORD}=(%{GREEDYDATA:irrelevant})?","dest_is_ipv6=%{GREEDYDATA:[kv_field][dest_is_ipv6]}" - ] } } - } - - if ![kv_field][details]{ - grok { match => { "cef_or_leef_msg" => [ - "details=%{DATA:[kv_field][details]} %{WORD}=(%{GREEDYDATA:irrelevant})?","details=%{GREEDYDATA:[kv_field][details]}" - ] } } - } - - if ![kv_field][domain]{ - grok { match => { "cef_or_leef_msg" => [ - "\b(domain)\b=%{DATA:[kv_field][domain]} %{WORD}=(%{GREEDYDATA:irrelevant})?","\b(domain)\b=%{GREEDYDATA:[kv_field][domain]}" - ] } } - } - - if ![kv_field][dst_ip]{ - grok { match => { "cef_or_leef_msg" => [ - "(dst_ip)=%{DATA:[kv_field][dst_ip]} %{WORD}=(%{GREEDYDATA:irrelevant})?","(dst_ip)=%{GREEDYDATA:[kv_field][dst_ip]}" - ] } } - } - - if ![kv_field][destIP]{ - grok { match => { "cef_or_leef_msg" => [ - "(destIP)=%{DATA:[kv_field][destIP]} %{WORD}=(%{GREEDYDATA:irrelevant})?","(destIP)=%{GREEDYDATA:[kv_field][destIP]}" - ] } } - } - - if ![kv_field][destinationIP]{ - grok { match => { "cef_or_leef_msg" => [ - "(destinationIP)=%{DATA:[kv_field][destinationIP]} %{WORD}=(%{GREEDYDATA:irrelevant})?","(destinationIP)=%{GREEDYDATA:[kv_field][destinationIP]}" - ] } } - } - - if ![kv_field][destPort] or ![kv_field][dst_port]{ - grok { match => { "cef_or_leef_msg" => [ - "(destPort|dst_port)=%{DATA:[kv_field][destPort]} %{WORD}=(%{GREEDYDATA:irrelevant})?","(destPort|dst_port)=%{GREEDYDATA:[kv_field][destPort]}" - ] } } - } - - if ![kv_field][enterprise_name]{ - grok { match => { "cef_or_leef_msg" => [ - "enterprise_name=%{DATA:[kv_field][enterprise_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","enterprise_name=%{GREEDYDATA:[kv_field][enterprise_name]}" - ] } } - } - - if ![kv_field][event_desc]{ - grok { match => { "cef_or_leef_msg" => [ - "(event_desc|file_desc)=%{DATA:[kv_field][file_desc]} %{WORD}=(%{GREEDYDATA:irrelevant})?","(event_desc|file_desc)=%{GREEDYDATA:[kv_field][file_desc]}" - ] } } - } - - if ![kv_field][event_id]{ - grok { match => { "cef_or_leef_msg" => [ - "\b(event_id)\b=%{DATA:[kv_field][event_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","\b(event_id)\b=%{GREEDYDATA:[kv_field][event_id]}" - ] } } - } - - if ![kv_field][event_type]{ - grok { match => { "cef_or_leef_msg" => [ - "event_type=%{DATA:[kv_field][event_type]} %{WORD}=(%{GREEDYDATA:irrelevant})?","event_type=%{GREEDYDATA:[kv_field][event_type]}" - ] } } - } - - if ![kv_field][file_version]{ - grok { match => { "cef_or_leef_msg" => [ - "file_version=%{DATA:[kv_field][file_version]} %{WORD}=(%{GREEDYDATA:irrelevant})?","file_version=%{GREEDYDATA:[kv_field][file_version]}" - ] } } - } - - if ![kv_field][granted_access]{ - grok { match => { "cef_or_leef_msg" => [ - "granted_access=%{DATA:[kv_field][granted_access]} %{WORD}=(%{GREEDYDATA:irrelevant})?","granted_access=%{GREEDYDATA:[kv_field][granted_access]}" - ] } } - } - - if ![kv_field][host_type]{ - grok { match => { "cef_or_leef_msg" => [ - "host_type=%{DATA:[kv_field][host_type]} %{WORD}=(%{GREEDYDATA:irrelevant})?","host_type=%{GREEDYDATA:[kv_field][host_type]}" - ] } } - } - - if ![kv_field][image_loaded]{ - grok { match => { "cef_or_leef_msg" => [ - "image_loaded=%{DATA:[kv_field][image_loaded]} %{WORD}=(%{GREEDYDATA:irrelevant})?","image_loaded=%{GREEDYDATA:[kv_field][image_loaded]}" - ] } } - } - - if ![kv_field][imphash]{ - grok { match => { "cef_or_leef_msg" => [ - "imphash=%{DATA:[kv_field][imphash]} %{WORD}=(%{GREEDYDATA:irrelevant})?","imphash=%{GREEDYDATA:[kv_field][imphash]}" - ] } } - } - - if ![kv_field][initiated]{ - grok { match => { "cef_or_leef_msg" => [ - "initiated=%{DATA:[kv_field][initiated]} %{WORD}=(%{GREEDYDATA:irrelevant})?","initiated=%{GREEDYDATA:[kv_field][initiated]}" - ] } } - } - - if ![kv_field][integrity_level]{ - grok { match => { "cef_or_leef_msg" => [ - "integrity_level=%{DATA:[kv_field][integrity_level]} %{WORD}=(%{GREEDYDATA:irrelevant})?","integrity_level=%{GREEDYDATA:[kv_field][integrity_level]}" - ] } } - } - - if ![kv_field][ip]{ - grok { match => { "cef_or_leef_msg" => [ - "\b(ip)\b=%{DATA:[kv_field][ip]} %{WORD}=(%{GREEDYDATA:irrelevant})?","\b(ip)\b=%{GREEDYDATA:[kv_field][ip]}" - ] } } - } - - if ![kv_field][is_alert]{ - grok { match => { "cef_or_leef_msg" => [ - "is_alert=%{DATA:[kv_field][is_alert]} %{WORD}=(%{GREEDYDATA:irrelevant})?","is_alert=%{GREEDYDATA:[kv_field][is_alert]}" - ] } } - } - - if ![kv_field][keywords]{ - grok { match => { "cef_or_leef_msg" => [ - "keywords=%{DATA:[kv_field][keywords]} %{WORD}=(%{GREEDYDATA:irrelevant})?","keywords=%{GREEDYDATA:[kv_field][keywords]}" - ] } } - } - - if ![kv_field][logon_process]{ - grok { match => { "cef_or_leef_msg" => [ - "logon_process=%{DATA:[kv_field][logon_process]} %{WORD}=(%{GREEDYDATA:irrelevant})?","logon_process=%{GREEDYDATA:[kv_field][logon_process]}" - ] } } - } - - if ![kv_field][logon_type]{ - grok { match => { "cef_or_leef_msg" => [ - "logon_type=%{DATA:[kv_field][logon_type]} %{WORD}=(%{GREEDYDATA:irrelevant})?","logon_type=%{GREEDYDATA:[kv_field][logon_type]}" - ] } } - } - - if ![kv_field][md5]{ - grok { match => { "cef_or_leef_msg" => [ - "md5=%{DATA:[kv_field][md5]} %{WORD}=(%{GREEDYDATA:irrelevant})?","md5=%{GREEDYDATA:[kv_field][md5]}" - ] } } - } - - if ![kv_field][mem_usage]{ - grok { match => { "cef_or_leef_msg" => [ - "mem_usage=%{DATA:[kv_field][mem_usage]} %{WORD}=(%{GREEDYDATA:irrelevant})?","mem_usage=%{GREEDYDATA:[kv_field][mem_usage]}" - ] } } - } - - if ![kv_field][mitre_id]{ - grok { match => { "cef_or_leef_msg" => [ - "mitre_id=%{DATA:[kv_field][mitre_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","mitre_id=%{GREEDYDATA:[kv_field][mitre_id]}" - ] } } - } - - if ![kv_field][mitre_tactics]{ - grok { match => { "cef_or_leef_msg" => [ - "mitre_tactics=%{DATA:[kv_field][mitre_tactics]} %{WORD}=(%{GREEDYDATA:irrelevant})?","mitre_tactics=%{GREEDYDATA:[kv_field][mitre_tactics]}" - ] } } - } - - if ![kv_field][mitre_tech]{ - grok { match => { "cef_or_leef_msg" => [ - "mitre_tech=%{DATA:[kv_field][mitre_tech]} %{WORD}=(%{GREEDYDATA:irrelevant})?","mitre_tech=%{GREEDYDATA:[kv_field][mitre_tech]}" - ] } } - } - - if ![kv_field][module]{ - grok { match => { "cef_or_leef_msg" => [ - "module=%{DATA:[kv_field][module]} %{WORD}=(%{GREEDYDATA:irrelevant})?","module=%{GREEDYDATA:[kv_field][module]}" - ] } } - } - - if ![kv_field][original_file_name]{ - grok { match => { "cef_or_leef_msg" => [ - "original_file_name=%{DATA:[kv_field][original_file_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","original_file_name=%{GREEDYDATA:[kv_field][original_file_name]}" - ] } } - } - - if ![kv_field][os_type]{ - grok { match => { "cef_or_leef_msg" => [ - "os_type=%{DATA:[kv_field][os_type]} %{WORD}=(%{GREEDYDATA:irrelevant})?","os_type=%{GREEDYDATA:[kv_field][os_type]}" - ] } } - } - - if ![kv_field][parent_process_guid]{ - grok { match => { "cef_or_leef_msg" => [ - "parent_process_guid=%{DATA:[kv_field][parent_process_guid]} %{WORD}=(%{GREEDYDATA:irrelevant})?","parent_process_guid=%{GREEDYDATA:[kv_field][parent_process_guid]}" - ] } } - } - - if ![kv_field][parent_process_id]{ - grok { match => { "cef_or_leef_msg" => [ - "parent_process_id=%{DATA:[kv_field][parent_process_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","parent_process_id=%{GREEDYDATA:[kv_field][parent_process_id]}" - ] } } - } - - if ![kv_field][parent_user]{ - grok { match => { "cef_or_leef_msg" => [ - "parent_user=%{DATA:[kv_field][parent_user]} %{WORD}=(%{GREEDYDATA:irrelevant})?","parent_user=%{GREEDYDATA:[kv_field][parent_user]}" - ] } } - } - - if ![kv_field][privilege]{ - grok { match => { "cef_or_leef_msg" => [ - "privilege=%{DATA:[kv_field][privilege]} %{WORD}=(%{GREEDYDATA:irrelevant})?","privilege=%{GREEDYDATA:[kv_field][privilege]}" - ] } } - } - - if ![kv_field][process_guid]{ - grok { match => { "cef_or_leef_msg" => [ - "\b(process_guid)\b=%{DATA:[kv_field][process_guid]} %{WORD}=(%{GREEDYDATA:irrelevant})?","\b(process_guid)\b=%{GREEDYDATA:[kv_field][process_guid]}" - ] } } - } - - if ![kv_field][process_id]{ - grok { match => { "cef_or_leef_msg" => [ - "\b(process_id)\b=%{DATA:[kv_field][process_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","\b(process_id)\b=%{GREEDYDATA:[kv_field][process_id]}" - ] } } - } - - if ![kv_field][process_name]{ - grok { match => { "cef_or_leef_msg" => [ - "\b(process_name)\b=%{DATA:[kv_field][process_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","\b(process_name)\b=%{GREEDYDATA:[kv_field][process_name]}" - ] } } - } - - if ![kv_field][product]{ - grok { match => { "cef_or_leef_msg" => [ - "product=%{DATA:[kv_field][product]} %{WORD}=(%{GREEDYDATA:irrelevant})?","product=%{GREEDYDATA:[kv_field][product]}" - ] } } - } - - if ![kv_field][protocol]{ - grok { match => { "cef_or_leef_msg" => [ - "protocol=%{DATA:[kv_field][protocol]} %{WORD}=(%{GREEDYDATA:irrelevant})?","protocol=%{GREEDYDATA:[kv_field][protocol]}" - ] } } - } - - if ![kv_field][provider_name]{ - grok { match => { "cef_or_leef_msg" => [ - "provider_name=%{DATA:[kv_field][provider_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","provider_name=%{GREEDYDATA:[kv_field][provider_name]}" - ] } } - } - - if ![kv_field][pswd_last_set]{ - grok { match => { "cef_or_leef_msg" => [ - "pswd_last_set=%{DATA:[kv_field][pswd_last_set]} %{WORD}=(%{GREEDYDATA:irrelevant})?","pswd_last_set=%{GREEDYDATA:[kv_field][pswd_last_set]}" - ] } } - } - - if ![kv_field][publisher]{ - grok { match => { "cef_or_leef_msg" => [ - "publisher=%{DATA:[kv_field][publisher]} %{WORD}=(%{GREEDYDATA:irrelevant})?","publisher=%{GREEDYDATA:[kv_field][publisher]}" - ] } } - } - - if ![kv_field][query_res]{ - grok { match => { "cef_or_leef_msg" => [ - "query_res=%{DATA:[kv_field][query_res]} %{WORD}=(%{GREEDYDATA:irrelevant})?","query_res=%{GREEDYDATA:[kv_field][query_res]}" - ] } } - } - - if ![kv_field][query_status]{ - grok { match => { "cef_or_leef_msg" => [ - "query_status=%{DATA:[kv_field][query_status]} %{WORD}=(%{GREEDYDATA:irrelevant})?","query_status=%{GREEDYDATA:[kv_field][query_status]}" - ] } } - } - - if ![kv_field][rule_name]{ - grok { match => { "cef_or_leef_msg" => [ - "rule_name=%{DATA:[kv_field][rule_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","rule_name=%{GREEDYDATA:[kv_field][rule_name]}" - ] } } - } - - if ![kv_field][sam_account]{ - grok { match => { "cef_or_leef_msg" => [ - "sam_account=%{DATA:[kv_field][sam_account]} %{WORD}=(%{GREEDYDATA:irrelevant})?","sam_account=%{GREEDYDATA:[kv_field][sam_account]}" - ] } } - } - - if ![kv_field][severity]{ - grok { match => { "cef_or_leef_msg" => [ - "severity=%{DATA:[kv_field][severity]} %{WORD}=(%{GREEDYDATA:irrelevant})?","severity=%{GREEDYDATA:[kv_field][severity]}" - ] } } - } - - if ![kv_field][sha256]{ - grok { match => { "cef_or_leef_msg" => [ - "sha256=%{DATA:[kv_field][sha256]} %{WORD}=(%{GREEDYDATA:irrelevant})?","sha256=%{GREEDYDATA:[kv_field][sha256]}" - ] } } - } - - if ![kv_field][signature_status]{ - grok { match => { "cef_or_leef_msg" => [ - "signature_status=%{DATA:[kv_field][signature_status]} %{WORD}=(%{GREEDYDATA:irrelevant})?","signature_status=%{GREEDYDATA:[kv_field][signature_status]}" - ] } } - } - - if ![kv_field][src_ip]{ - grok { match => { "cef_or_leef_msg" => [ - "src_ip=%{DATA:[kv_field][src_ip]} %{WORD}=(%{GREEDYDATA:irrelevant})?","src_ip=%{GREEDYDATA:[kv_field][src_ip]}" - ] } } - } - - if ![kv_field][src_port]{ - grok { match => { "cef_or_leef_msg" => [ - "src_port=%{DATA:[kv_field][src_port]} %{WORD}=(%{GREEDYDATA:irrelevant})?","src_port=%{GREEDYDATA:[kv_field][src_port]}" - ] } } - } - - if ![kv_field][start_time]{ - grok { match => { "cef_or_leef_msg" => [ - "start_time=%{DATA:[kv_field][start_time]} %{WORD}=(%{GREEDYDATA:irrelevant})?","start_time=%{GREEDYDATA:[kv_field][start_time]}" - ] } } - } - - if ![kv_field][status]{ - grok { match => { "cef_or_leef_msg" => [ - "\b(status)\b=%{DATA:[kv_field][status]} %{WORD}=(%{GREEDYDATA:irrelevant})?","\b(status)\b=%{GREEDYDATA:[kv_field][status]}" - ] } } - } - - if ![kv_field][sub_domain]{ - grok { match => { "cef_or_leef_msg" => [ - "sub_domain=%{DATA:[kv_field][sub_domain]} %{WORD}=(%{GREEDYDATA:irrelevant})?","sub_domain=%{GREEDYDATA:[kv_field][sub_domain]}" - ] } } - } - - if ![kv_field][sub_logon_id]{ - grok { match => { "cef_or_leef_msg" => [ - "sub_logon_id=%{DATA:[kv_field][sub_logon_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","sub_logon_id=%{GREEDYDATA:[kv_field][sub_logon_id]}" - ] } } - } - - if ![kv_field][sub_user]{ - grok { match => { "cef_or_leef_msg" => [ - "sub_user=%{DATA:[kv_field][sub_user]} %{WORD}=(%{GREEDYDATA:irrelevant})?","sub_user=%{GREEDYDATA:[kv_field][sub_user]}" - ] } } - } - - if ![kv_field][sub_user_sid]{ - grok { match => { "cef_or_leef_msg" => [ - "sub_user_sid=%{DATA:[kv_field][sub_user_sid]} %{WORD}=(%{GREEDYDATA:irrelevant})?","sub_user_sid=%{GREEDYDATA:[kv_field][sub_user_sid]}" - ] } } - } - - if ![kv_field][targetDomainName]{ - grok { match => { "cef_or_leef_msg" => [ - "targetDomainName=%{DATA:[kv_field][targetDomainName]} %{WORD}=(%{GREEDYDATA:irrelevant})?","targetDomainName=%{GREEDYDATA:[kv_field][targetDomainName]}" - ] } } - } - - if ![kv_field][target_image]{ - grok { match => { "cef_or_leef_msg" => [ - "target_image=%{DATA:[kv_field][target_image]} %{WORD}=(%{GREEDYDATA:irrelevant})?","target_image=%{GREEDYDATA:[kv_field][target_image]}" - ] } } - } - - if ![kv_field][target_sid]{ - grok { match => { "cef_or_leef_msg" => [ - "target_sid=%{DATA:[kv_field][target_sid]} %{WORD}=(%{GREEDYDATA:irrelevant})?","target_sid=%{GREEDYDATA:[kv_field][target_sid]}" - ] } } - } - - if ![kv_field][target_user]{ - grok { match => { "cef_or_leef_msg" => [ - "target_user=%{DATA:[kv_field][target_user]} %{WORD}=(%{GREEDYDATA:irrelevant})?","target_user=%{GREEDYDATA:[kv_field][target_user]}" - ] } } - } - - if ![kv_field][timestamp]{ - grok { match => { "cef_or_leef_msg" => [ - "\b(timestamp)\b=%{DATA:[kv_field][timestamp]} %{WORD}=(%{GREEDYDATA:irrelevant})?","\b(timestamp)\b=%{GREEDYDATA:[kv_field][timestamp]}" - ] } } - } - - if ![kv_field][f1_timestamp]{ - grok { match => { "cef_or_leef_msg" => [ - "f1_timestamp=%{DATA:[kv_field][f1_timestamp]} %{WORD}=(%{GREEDYDATA:irrelevant})?","f1_timestamp=%{GREEDYDATA:[kv_field][f1_timestamp]}" - ] } } - } - - if ![kv_field][title]{ - grok { match => { "cef_or_leef_msg" => [ - "\b(title)\b=%{DATA:[kv_field][title]} %{WORD}=(%{GREEDYDATA:irrelevant})?","\b(title)\b=%{GREEDYDATA:[kv_field][title]}" - ] } } - } - - if ![kv_field][user]{ - grok { match => { "cef_or_leef_msg" => [ - "\b(user)\b=%{DATA:[kv_field][user]} %{WORD}=(%{GREEDYDATA:irrelevant})?","\b(user)\b=%{GREEDYDATA:[kv_field][user]}" - ] } } - } - - if ![kv_field][utc_time]{ - grok { match => { "cef_or_leef_msg" => [ - "utc_time=%{DATA:[kv_field][utc_time]} %{WORD}=(%{GREEDYDATA:irrelevant})?","utc_time=%{GREEDYDATA:[kv_field][utc_time]}" - ] } } - } - - if ![kv_field][workstation]{ - grok { match => { "cef_or_leef_msg" => [ - "workstation=%{DATA:[kv_field][workstation]} %{WORD}=(%{GREEDYDATA:irrelevant})?","workstation=%{GREEDYDATA:[kv_field][workstation]}" - ] } } - } - - if ![kv_field][wz_agent_id]{ - grok { match => { "cef_or_leef_msg" => [ - "wz_agent_id=%{DATA:[kv_field][wz_agent_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","wz_agent_id=%{GREEDYDATA:[kv_field][wz_agent_id]}" - ] } } - } - - if ![kv_field][active_user]{ - grok { match => { "cef_or_leef_msg" => [ - "active_user=%{DATA:[kv_field][active_user]} %{WORD}=(%{GREEDYDATA:irrelevant})?","active_user=%{GREEDYDATA:[kv_field][active_user]}" - ] } } - } - - if ![kv_field][assoc_user]{ - grok { match => { "cef_or_leef_msg" => [ - "assoc_user=%{DATA:[kv_field][assoc_user]} %{WORD}=(%{GREEDYDATA:irrelevant})?","assoc_user=%{GREEDYDATA:[kv_field][assoc_user]}" - ] } } - } - - if ![kv_field][endpoint_id]{ - grok { match => { "cef_or_leef_msg" => [ - "endpoint_id=%{DATA:[kv_field][endpoint_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","endpoint_id=%{GREEDYDATA:[kv_field][endpoint_id]}" - ] } } - } - - if ![kv_field][endpoint_name]{ - grok { match => { "cef_or_leef_msg" => [ - "endpoint_name=%{DATA:[kv_field][endpoint_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","endpoint_name=%{GREEDYDATA:[kv_field][endpoint_name]}" - ] } } - } - - if ![kv_field][endpoint_number]{ - grok { match => { "cef_or_leef_msg" => [ - "endpoint_number=%{DATA:[kv_field][endpoint_number]} %{WORD}=(%{GREEDYDATA:irrelevant})?","endpoint_number=%{GREEDYDATA:[kv_field][endpoint_number]}" - ] } } - } - - if ![kv_field][endpoint_os]{ - grok { match => { "cef_or_leef_msg" => [ - "endpoint_os=%{DATA:[kv_field][endpoint_os]} %{WORD}=(%{GREEDYDATA:irrelevant})?","endpoint_os=%{GREEDYDATA:[kv_field][endpoint_os]}" - ] } } - } - - if ![kv_field][endpoint_serial]{ - grok { match => { "cef_or_leef_msg" => [ - "endpoint_serial=%{DATA:[kv_field][endpoint_serial]} %{WORD}=(%{GREEDYDATA:irrelevant})?","endpoint_serial=%{GREEDYDATA:[kv_field][endpoint_serial]}" - ] } } - } - - if ![kv_field][wz_agent_name]{ - grok { match => { "cef_or_leef_msg" => [ - "wz_agent_name=%{DATA:[kv_field][wz_agent_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","wz_agent_name=%{GREEDYDATA:[kv_field][wz_agent_name]}" - ] } } - } - - if ![kv_field][decoder_name]{ - grok { match => { "cef_or_leef_msg" => [ - "decoder_name=%{DATA:[kv_field][decoder_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","decoder_name=%{GREEDYDATA:[kv_field][decoder_name]}" - ] } } - } - - if ![kv_field][wz_data_id]{ - grok { match => { "cef_or_leef_msg" => [ - "wz_data_id=%{DATA:[kv_field][wz_data_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","wz_data_id=%{GREEDYDATA:[kv_field][wz_data_id]}" - ] } } - } - - if ![kv_field][location]{ - grok { match => { "cef_or_leef_msg" => [ - "location=%{DATA:[kv_field][location]} %{WORD}=(%{GREEDYDATA:irrelevant})?","location=%{GREEDYDATA:[kv_field][location]}" - ] } } - } - - if ![kv_field][predecoder_prog_name]{ - grok { match => { "cef_or_leef_msg" => [ - "predecoder_prog_name=%{DATA:[kv_field][predecoder_prog_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","predecoder_prog_name=%{GREEDYDATA:[kv_field][predecoder_prog_name]}" - ] } } - } - - if ![kv_field][rule_id]{ - grok { match => { "cef_or_leef_msg" => [ - "rule_id=%{DATA:[kv_field][rule_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","rule_id=%{GREEDYDATA:[kv_field][rule_id]}" - ] } } - } - - if ![kv_field][signer]{ - grok { match => { "cef_or_leef_msg" => [ - "signer=%{DATA:[kv_field][signer]} %{WORD}=(%{GREEDYDATA:irrelevant})?","signer=%{GREEDYDATA:[kv_field][signer]}" - ] } } - } - - if ![kv_field][wz_firedtimes]{ - grok { match => { "cef_or_leef_msg" => [ - "wz_firedtimes=%{DATA:[kv_field][wz_firedtimes]} %{WORD}=(%{GREEDYDATA:irrelevant})?","wz_firedtimes=%{GREEDYDATA:[kv_field][wz_firedtimes]}" - ] } } - } - - if ![kv_field][ep_group_disp_name]{ - grok { match => { "cef_or_leef_msg" => [ - "ep_group_disp_name=%{DATA:[kv_field][ep_group_disp_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","ep_group_disp_name=%{GREEDYDATA:[kv_field][ep_group_disp_name]}" - ] } } - } - - if ![kv_field][ep_group_name]{ - grok { match => { "cef_or_leef_msg" => [ - "ep_group_name=%{DATA:[kv_field][ep_group_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","ep_group_name=%{GREEDYDATA:[kv_field][ep_group_name]}" - ] } } - } - } - # EDR and Behavior Alerts - else if [command] { - if ![kv_field][account_id]{ - grok { match => { "cef_or_leef_msg" => [ - "account_id=%{DATA:[kv_field][account_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","account_id=%{GREEDYDATA:[kv_field][account_id]}" - ] } } - } - - if ![kv_field][alert_link]{ - grok { match => { "cef_or_leef_msg" => [ - "alert_link=%{DATA:[kv_field][alert_link]} %{WORD}=(%{GREEDYDATA:irrelevant})?","alert_link=%{GREEDYDATA:[kv_field][alert_link]}" - ] } } - } - - if ![kv_field][alert_name]{ - grok { match => { "cef_or_leef_msg" => [ - "alert_name=%{DATA:[kv_field][alert_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","alert_name=%{GREEDYDATA:[kv_field][alert_name]}" - ] } } - } - - if ![kv_field][alert_source_id]{ - grok { match => { "cef_or_leef_msg" => [ - "alert_source_id=%{DATA:[kv_field][alert_source_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","alert_source_id=%{GREEDYDATA:[kv_field][alert_source_id]}" - ] } } - } - - if ![kv_field][alert_source_name]{ - grok { match => { "cef_or_leef_msg" => [ - "alert_source_name=%{DATA:[kv_field][alert_source_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","alert_source_name=%{GREEDYDATA:[kv_field][alert_source_name]}" - ] } } - } - - if ![kv_field][endpoint_id]{ - grok { match => { "cef_or_leef_msg" => [ - "endpoint_id=%{DATA:[kv_field][endpoint_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","endpoint_id=%{GREEDYDATA:[kv_field][endpoint_id]}" - ] } } - } - - if ![kv_field][endpoint_name]{ - grok { match => { "cef_or_leef_msg" => [ - "endpoint_name=%{DATA:[kv_field][endpoint_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","endpoint_name=%{GREEDYDATA:[kv_field][endpoint_name]}" - ] } } - } - - if ![kv_field][enterprise_name]{ - grok { match => { "cef_or_leef_msg" => [ - "enterprise_name=%{DATA:[kv_field][enterprise_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","enterprise_name=%{GREEDYDATA:[kv_field][enterprise_name]}" - ] } } - } - - if ![kv_field][id]{ - grok { match => { "cef_or_leef_msg" => [ - "\b(id)\b=%{DATA:[kv_field][id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","\b(id)\b=%{GREEDYDATA:[kv_field][id]}" - ] } } - } - - if ![kv_field][md5hash]{ - grok { match => { "cef_or_leef_msg" => [ - "md5hash=%{DATA:[kv_field][md5]} %{WORD}=(%{GREEDYDATA:irrelevant})?","md5hash=%{GREEDYDATA:[kv_field][md5]}" - ] } } - } - - if ![kv_field][parent_process_id]{ - grok { match => { "cef_or_leef_msg" => [ - "parent_process_id=%{DATA:[kv_field][parent_process_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","parent_process_id=%{GREEDYDATA:[kv_field][parent_process_id]}" - ] } } - } - - if ![kv_field][parent_process_name]{ - grok { match => { "cef_or_leef_msg" => [ - "parent_process_name=%{DATA:[kv_field][parent_process_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","parent_process_name=%{GREEDYDATA:[kv_field][parent_process_name]}" - ] } } - } - - if ![kv_field][process_guid]{ - grok { match => { "cef_or_leef_msg" => [ - "\b(process_guid)\b=%{DATA:[kv_field][process_guid]} %{WORD}=(%{GREEDYDATA:irrelevant})?","\b(process_guid)\b=%{GREEDYDATA:[kv_field][process_guid]}" - ] } } - } - - if ![kv_field][process_name]{ - grok { match => { "cef_or_leef_msg" => [ - "\b(process_name)\b=%{DATA:[kv_field][process_name]} %{WORD}=(%{GREEDYDATA:irrelevant})?","\b(process_name)\b=%{GREEDYDATA:[kv_field][process_name]}" - ] } } - } - - if ![kv_field][severity]{ - grok { match => { "cef_or_leef_msg" => [ - "severity=%{DATA:[kv_field][severity]} %{WORD}=(%{GREEDYDATA:irrelevant})?","severity=%{GREEDYDATA:[kv_field][severity]}" - ] } } - } - - if ![kv_field][type]{ - grok { match => { "cef_or_leef_msg" => [ - "\b(type)\b=%{DATA:[kv_field][type]} %{WORD}=(%{GREEDYDATA:irrelevant})?","\b(type)\b=%{GREEDYDATA:[kv_field][type]}" - ] } } - } - - if ![kv_field][violated_event_id]{ - grok { match => { "cef_or_leef_msg" => [ - "violated_event_id=%{DATA:[kv_field][violated_event_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","violated_event_id=%{GREEDYDATA:[kv_field][violated_event_id]}" - ] } } - } - - if ![kv_field][violated_process_id]{ - grok { match => { "cef_or_leef_msg" => [ - "violated_process_id=%{DATA:[kv_field][violated_process_id]} %{WORD}=(%{GREEDYDATA:irrelevant})?","violated_process_id=%{GREEDYDATA:[kv_field][violated_process_id]}" - ] } } - } - - if ![kv_field][violated_time]{ - grok { match => { "cef_or_leef_msg" => [ - "violated_time=%{DATA:[kv_field][violated_time]} %{WORD}=(%{GREEDYDATA:irrelevant})?","violated_time=%{GREEDYDATA:[kv_field][violated_time]}" - ] } } - } - } - -} - -#......................................................................# -#Add fields to the tree structure -#......................................................................# -# We must add first, tha conditions to get some important fields - # ............ - # src_user - #............. -# Threats and Violations - if [kv_field][entityType] { - if [kv_field][entityType] == "lan" { - if [kv_field][dhcpLeaseID] { - mutate { - add_field => { "[kv_field][src_user]" => "%{[kv_field][dhcpLeaseID]}" } - } - } - } else if [kv_field][entityType] == "agent" { - if [kv_field][endpoint_id] { - mutate { - add_field => { "[kv_field][src_user]" => "%{[kv_field][endpoint_id]}" } - } - } - } else if [kv_field][entityType] == "appedge" { - if [kv_field][aeUserID] { - mutate { - add_field => { "[kv_field][src_user]" => "%{[kv_field][aeUserID]}" } - } - } - } else if [kv_field][entityType] == "userdevice" { - if [kv_field][mdn] { - mutate { - add_field => { "[kv_field][src_user]" => "%{[kv_field][mdn]}" } - } - } - } else if [kv_field][entityType] == "edge" { - if [kv_field][deviceID] { - mutate { - add_field => { "[kv_field][src_user]" => "%{[kv_field][deviceID]}" } - } - } - } - } else if [kv_field][user] or [kv_field][sub_user] { - # EDR Events - if [kv_field][user] { - mutate { - add_field => { "[kv_field][src_user]" => "%{[kv_field][user]}" } - } - } else if [kv_field][sub_user] { - mutate { - add_field => { "[kv_field][src_user]" => "%{[kv_field][sub_user]}" } - } - } - } else if [kv_field][endpoint_id] { - # EDR Alerts - mutate { - add_field => { "[kv_field][src_user]" => "%{[kv_field][endpoint_id]}" } - } - } else if [kv_field][username] { - # Dashboard Portal Audit - mutate { - add_field => { "[kv_field][src_user]" => "%{[kv_field][username]}" } - } - } else if [kv_field][userid] { - # AppEdge Audit - mutate { - add_field => { "[kv_field][src_user]" => "%{[kv_field][userid]}" } - } - } - # ............ - # dest_user - #............. - if [kv_field][target_user] { - mutate { - add_field => { "[kv_field][dest_user]" => "%{[kv_field][target_user]}" } - } - } - # ............ - # src_ip - #............. - if ![kv_field][src_ip] { - if [kv_field][ip] { - mutate { - add_field => { "[kv_field][src_ip]" => "%{[kv_field][ip]}" } - } - } else if [kv_field][srcIP] { - mutate { - add_field => { "[kv_field][src_ip]" => "%{[kv_field][srcIP]}" } - } - } else if [kv_field][lanip] { - mutate { - add_field => { "[kv_field][src_ip]" => "%{[kv_field][lanip]}" } - } - } - } - # ............ - # dest_ip - #............. - if ![kv_field][dest_ip] { - if [kv_field][dst_ip] { - mutate { - add_field => { - "[kv_field][dest_ip]" => "%{[kv_field][dst_ip]}" - } - } - } else if [kv_field][destinationIP] { - mutate { - add_field => { - "[kv_field][dest_ip]" => "%{[kv_field][destinationIP]}" - } - } - } - } - # ............ - # src_port - #............. - if ![kv_field][src_port] { - if [kv_field][srcPort] { - mutate { - add_field => { - "[kv_field][src_port]" => "%{[kv_field][srcPort]}" - } - } - } - } - # ............ - # dest_port - #............. - if ![kv_field][dest_port] { - if [kv_field][dst_port] { - mutate { - add_field => { - "[kv_field][dest_port]" => "%{[kv_field][dst_port]}" - } - } - } else if [kv_field][destPort] { - mutate { - add_field => { - "[kv_field][dest_port]" => "%{[kv_field][destPort]}" - } - } - } - } - - mutate { - #Rename the filds out of kv results - rename => { "[embEventClassID]" => "[kv_field][embEventClassID]" } - rename => { "[embDeviceVendor]" => "[kv_field][embDeviceVendor]" } - rename => { "[embDeviceProduct]" => "[kv_field][embDeviceProduct]" } - rename => { "[embName]" => "[kv_field][embName]" } - rename => { "[embDeviceVersion]" => "[kv_field][embDeviceVersion]" } - rename => { "[priority]" => "[kv_field][priority]" } - rename => { "[embSeverity]" => "[kv_field][embSeverity]" } - rename => { "[format_version]" => "[kv_field][format_version]" } - rename => { "[format_type]" => "[kv_field][format_type]" } - rename => { "[end_msg]" => "[kv_field][end_msg]" } - rename => { "[prvf_message]" => "[kv_field][message]" } - - #Generating other fields - rename => { "[kv_field][protocol]" => "[kv_field][proto]" } - - #Rename fields with kv issues (individual groks) - rename => { "[command_line]" => "[kv_field][command_line]" } - rename => { "[activity]" => "[kv_field][activity]" } - rename => { "[description]" => "[kv_field][description]" } - rename => { "[parent_path]" => "[kv_field][parent_path]" } - rename => { "[path]" => "[kv_field][path]" } - rename => { "[filepath]" => "[kv_field][filepath]" } - - } -#......................................................................# -# Converting some fields to number - mutate { - convert => { - "[kv_field][src_port]" => "integer" - "[kv_field][dest_port]" => "integer" - } -} -#......................................................................# -# Decoding severity -#......................................................................# -# First, we check if severity is present (Privafy alarms, has a severity field in extension fields) -# Otherwise we take the header severity field -if ![kv_field][severity]{ - mutate { - rename => { "[kv_field][embSeverity]" => "[kv_field][severity]" } - } -} else { - mutate { - remove_field => ["[kv_field][embSeverity]"] - } -} -#......................................................................# -# Begin to decode severity -if [kv_field][severity]{ - if [kv_field][severity] == "9" or [kv_field][severity] == "10" or [kv_field][severity] == "11" - or [kv_field][severity] == "12" or [kv_field][severity] == "13" or [kv_field][severity] == "14" - or [kv_field][severity] == "15" or [kv_field][severity] == "CRITICAL" { - mutate { - add_field => { - "[logx][privafy][severityLabel]" => "Very-High" - } - } - } else if [kv_field][severity] == "7" or [kv_field][severity] == "8" or [kv_field][severity] == "HIGH" { - mutate { - add_field => { - "[logx][privafy][severityLabel]" => "High" - } - } - } else if [kv_field][severity] >= "4" and [kv_field][severity] <= "6" or [kv_field][severity] == "MEDIUM" { - mutate { - add_field => { - "[logx][privafy][severityLabel]" => "Medium" - } - } - } else if [kv_field][severity] == "0" or [kv_field][severity] == "1" or [kv_field][severity] == "2" - or [kv_field][severity] == "3" or [kv_field][severity] == "LOW" or [kv_field][severity] == "INFO" { - mutate { - add_field => { - "[logx][privafy][severityLabel]" => "Low" - } - } - } else { - mutate { - add_field => { - "[logx][privafy][severityLabel]" => "%{[kv_field][severity]}" - } - } - } -} -#......................................................................# -#Set null the fields with de X0X value (default string for null), and replace simple and double quotation -#also generate logx tree structure dynamically - if [kv_field] { - ruby { - code => ' - event.get("[kv_field]").each do |k, v| - if (v == "X0X") - event.set("[logx][privafy][#{k}]",nil) - elsif k.start_with?("-") - event.remove(k) - elsif k =~ /\W(.*)?/ - event.remove(k) - elsif !(v.kind_of?(Array)) - new_v = v.to_s.gsub(/\"/, "") - new_v = new_v.gsub(/\'/, "") - event.set("[logx][privafy][#{k}]",new_v) - else - event.set("[logx][privafy][#{k}]",v) - end - end - ' - } - } -#......................................................................# - #Finally, remove unnecessary fields - mutate { - remove_field => ["@version","path","tags","type","syslog_version","kv_field","message","[logx][syslog]", - "not_defined","cef_or_leef_msg_all","cef_or_leef_msg","syslog_date_host","irrelevant","init_msg"] - } - } -# End CEF entrypoint - - #Also, remove unwanted fields if the message not match with conditions - mutate { - remove_field => ["@version","path","original_log_message","headers"] - } -}