/
pipeline.yml
70 lines (68 loc) · 2.22 KB
/
pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
description: Pipeline for Office 365 Audit logs
processors:
- set:
field: event.ingested
value: '{{_ingest.timestamp}}'
- user_agent:
field: user_agent.original
ignore_missing: true
- json:
tag: json-extract-stringly-OperationProperties
field: o365.audit.OperationProperties
if: ctx.o365?.audit?.OperationProperties instanceof String
on_failure:
- remove:
field: o365.audit.OperationProperties
- append:
field: error.message
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
# URL
- uri_parts:
field: url.original
target_field: _temp_.url
ignore_failure: true
if: ctx?.url?.original != null
- script:
lang: painless
description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings
if: ctx?._temp_?.url != null
source: |
for (entry in ctx._temp_.url.entrySet()) {
if (entry != null && entry.getValue() != null) {
if(ctx.url[entry.getKey()] == null) {
ctx.url[entry.getKey()] = entry.getValue();
} else if (!ctx.url[entry.getKey()].contains(entry.getValue())) {
ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]];
ctx.url[entry.getKey()].add(entry.getValue());
}
}
}
- remove:
field: _temp_
ignore_missing: true
# IP Geolocation Lookup
- geoip:
field: source.ip
target_field: source.geo
ignore_missing: true
# IP Autonomous System (AS) Lookup
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
- rename:
field: source.as.asn
target_field: source.as.number
ignore_missing: true
- rename:
field: source.as.organization_name
target_field: source.as.organization.name
ignore_missing: true
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'