-
Notifications
You must be signed in to change notification settings - Fork 422
/
default.yml
115 lines (112 loc) · 3.21 KB
/
default.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
---
description: Pipeline for NetFlow
processors:
- set:
field: ecs.version
value: '8.11.0'
- convert:
field: network.iana_number
type: string
ignore_missing: true
ignore_failure: true
- rename:
field: observer.ip
target_field: _tmp_.observer.ip
ignore_missing: true
- append:
field: observer.ip
value: '{{_tmp_.observer.ip}}'
if: ctx._tmp_?.observer?.ip != null
- set:
field: event.category
value:
- network
- session
if: ctx.event?.category != null && ctx.event?.category == "network_session"
- set:
field: network.type
value: ipv4
if: ctx.netflow?.source_ipv4_address != null || ctx.netflow?.destination_ipv4_address != null
- set:
field: network.type
value: ipv6
if: (ctx.netflow?.source_ipv6_address != null || ctx.netflow?.destination_ipv6_address != null) && ctx.network?.type == null
- append:
field: network.type
value: ipv6
if: (ctx.netflow?.source_ipv6_address != null || ctx.netflow?.destination_ipv6_address != null) && ctx.network?.type == "ipv4"
- set:
field: network.direction
value: inbound
if: ctx.source?.locality == "external" && ctx.destination?.locality == "internal"
- set:
field: network.direction
value: outbound
if: ctx.source?.locality == "internal" && ctx.destination?.locality == "external"
- set:
field: network.direction
value: internal
if: ctx.source?.locality == "internal" && ctx.destination?.locality == "internal"
- set:
field: network.direction
value: external
if: ctx.source?.locality == "external" && ctx.destination?.locality == "external"
- set:
field: network.direction
value: unknown
if: ctx.network?.direction == null
# IP Geolocation Lookup
- geoip:
if: ctx.source?.geo == null
field: source.ip
target_field: source.geo
ignore_missing: true
- geoip:
if: ctx.destination?.geo == null
field: destination.ip
target_field: destination.geo
ignore_missing: true
# IP Autonomous System (AS) Lookup
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
- geoip:
database_file: GeoLite2-ASN.mmdb
field: destination.ip
target_field: destination.as
properties:
- asn
- organization_name
ignore_missing: true
- rename:
field: source.as.asn
target_field: source.as.number
ignore_missing: true
- rename:
field: source.as.organization_name
target_field: source.as.organization.name
ignore_missing: true
- rename:
field: destination.as.asn
target_field: destination.as.number
ignore_missing: true
- rename:
field: destination.as.organization_name
target_field: destination.as.organization.name
ignore_missing: true
- remove:
field:
- _tmp_
ignore_missing: true
on_failure:
- set:
field: event.kind
value: pipeline_error
- append:
field: error.message
value: '{{{ _ingest.on_failure_message }}}'