├── .gitignore ├── COPYING ├── LICENSE ├── README.md └── pipeline ├── corelight-ecs-common-main-pipeline ├── corelight-ecs-common-main-set_index_prefix_and_suffix-pipeline ├── corelight-ecs-common-metric-metrics_stats-pipeline ├── corelight-ecs-common-system-iam_netcontrol_system_audit-pipeline ├── corelight-ecs-main-pipeline ├── corelight-ecs-postprocess-call_enrichments-pipeline ├── corelight-ecs-postprocess-enrich-destination.domain-pipeline ├── corelight-ecs-postprocess-enrich-geoip-destination.ip-pipeline ├── corelight-ecs-postprocess-enrich-geoip-host.ip-pipeline ├── corelight-ecs-postprocess-enrich-geoip-source.ip-pipeline ├── corelight-ecs-postprocess-enrich-url-pipeline ├── corelight-ecs-postprocess-enrich-user_agent-pipeline ├── corelight-ecs-postprocess-final-main-pipeline ├── corelight-ecs-postprocess-final-set_index-pipeline ├── corelight-ecs-postprocess-parse_failures-pipeline ├── corelight-ecs-postprocess-parse_failures-set_index_prefix_and_suffix-pipeline ├── corelight-ecs-reuse-replace_dotted_fields_with_underscore-pipeline └── log_specific ├── metric_and_system_logs └── metric │ ├── corelight-ecs-corelight_metrics_utilization-pipeline.disabled │ ├── corelight-ecs-corelight_weird_stats-pipeline.disabled │ ├── corelight-ecs-namecache-pipeline.disabled │ ├── corelight-ecs-reporter-pipeline.disabled │ ├── corelight-ecs-stats-pipeline.disabled │ ├── corelight-ecs-suricata_stats-pipeline.disabled │ └── corelight-ecs-weird_stats-pipeline.disabled └── protocol_logs ├── corelight-ecs-amqp-pipeline ├── corelight-ecs-analyzer-pipeline ├── corelight-ecs-bacnet-pipeline ├── corelight-ecs-bacnet_discovery-pipeline ├── corelight-ecs-bacnet_property-pipeline ├── corelight-ecs-bsap_ip_header-pipeline ├── corelight-ecs-bsap_ip_rdb-pipeline ├── corelight-ecs-bsap_ip_unknown-pipeline ├── corelight-ecs-bsap_serial_header-pipeline ├── corelight-ecs-bsap_serial_rdb-pipeline ├── corelight-ecs-bsap_serial_rdb_ext-pipeline ├── corelight-ecs-bsap_serial_unknown-pipeline ├── corelight-ecs-cip-pipeline ├── corelight-ecs-cip_identity-pipeline ├── corelight-ecs-cip_io-pipeline ├── corelight-ecs-conn-pipeline ├── corelight-ecs-conn_agg-pipeline ├── corelight-ecs-conn_long-pipeline ├── corelight-ecs-conn_red-pipeline ├── corelight-ecs-corelight_ml_results-pipeline ├── corelight-ecs-cotp-pipeline ├── corelight-ecs-dce_rpc-pipeline ├── corelight-ecs-dga-pipeline ├── corelight-ecs-dhcp-pipeline ├── corelight-ecs-dnp3-pipeline ├── corelight-ecs-dnp3_control-pipeline ├── corelight-ecs-dnp3_objects-pipeline ├── corelight-ecs-dns-pipeline ├── corelight-ecs-dns_agg-pipeline ├── corelight-ecs-dns_red-pipeline ├── corelight-ecs-dpd-pipeline ├── corelight-ecs-ecat_aoe_info-pipeline ├── corelight-ecs-ecat_arp_info-pipeline ├── corelight-ecs-ecat_coe_info-pipeline ├── corelight-ecs-ecat_dev_info-pipeline ├── corelight-ecs-ecat_foe_info-pipeline ├── corelight-ecs-ecat_log_address-pipeline ├── corelight-ecs-ecat_registers-pipeline ├── corelight-ecs-ecat_soe_info-pipeline ├── corelight-ecs-encrypted_dns-pipeline ├── corelight-ecs-enip-pipeline ├── corelight-ecs-enip_list_identity-pipeline ├── corelight-ecs-etc_viz-pipeline ├── corelight-ecs-files-pipeline ├── corelight-ecs-files_red-pipeline ├── corelight-ecs-ftp-pipeline ├── corelight-ecs-generic_dns_tunnels-pipeline ├── corelight-ecs-generic_icmp_tunnels-pipeline ├── corelight-ecs-genisys-pipeline ├── corelight-ecs-gquic-pipeline ├── corelight-ecs-http-pipeline ├── corelight-ecs-http2-pipeline ├── corelight-ecs-http_red-pipeline ├── corelight-ecs-intel-pipeline ├── corelight-ecs-ipsec-pipeline ├── corelight-ecs-irc-pipeline ├── corelight-ecs-iso_cotp-pipeline ├── corelight-ecs-kerberos-pipeline ├── corelight-ecs-known-certs-pipeline ├── corelight-ecs-known-devices-pipeline ├── corelight-ecs-known-domains-pipeline ├── corelight-ecs-known-hosts-pipeline ├── corelight-ecs-known-modbus-pipeline ├── corelight-ecs-known-names-pipeline ├── corelight-ecs-known-remotes-pipeline ├── corelight-ecs-known-services-pipeline ├── corelight-ecs-known-users-pipeline ├── corelight-ecs-known_certs-pipeline ├── corelight-ecs-known_devices-pipeline ├── corelight-ecs-known_domains-pipeline ├── corelight-ecs-known_hosts-pipeline ├── corelight-ecs-known_modbus-pipeline ├── corelight-ecs-known_names-pipeline ├── corelight-ecs-known_remotes-pipeline ├── corelight-ecs-known_services-pipeline ├── corelight-ecs-known_users-pipeline ├── corelight-ecs-ldap-pipeline ├── corelight-ecs-ldap_search-pipeline ├── corelight-ecs-log4j-pipeline ├── corelight-ecs-log4shell-pipeline ├── corelight-ecs-meterpreter-pipeline ├── corelight-ecs-meterpreter_headers-pipeline ├── corelight-ecs-ml_results-pipeline ├── corelight-ecs-modbus-pipeline ├── corelight-ecs-modbus_detailed-pipeline ├── corelight-ecs-modbus_mask_write_register-pipeline ├── corelight-ecs-modbus_read_write_multiple_registers-pipeline ├── corelight-ecs-modbus_register_change-pipeline ├── corelight-ecs-mqtt-pipeline ├── corelight-ecs-mqtt_connect-pipeline ├── corelight-ecs-mqtt_publish-pipeline ├── corelight-ecs-mqtt_subscribe-pipeline ├── corelight-ecs-mysql-pipeline ├── corelight-ecs-notice-pipeline ├── corelight-ecs-notice_alarm-pipeline ├── corelight-ecs-ntlm-pipeline ├── corelight-ecs-ntp-pipeline ├── corelight-ecs-ocsp-pipeline ├── corelight-ecs-pcr-pipeline ├── corelight-ecs-pe-pipeline ├── corelight-ecs-pop3-pipeline ├── corelight-ecs-profinet-pipeline ├── corelight-ecs-profinet_debug-pipeline ├── corelight-ecs-profinet_dec_rpc-pipeline ├── corelight-ecs-quic-pipeline ├── corelight-ecs-radius-pipeline ├── corelight-ecs-rdp-pipeline ├── corelight-ecs-rfb-pipeline ├── corelight-ecs-s7comm-pipeline ├── corelight-ecs-s7comm_plus-pipeline ├── corelight-ecs-s7comm_read_szl-pipeline ├── corelight-ecs-s7comm_upload_download-pipeline ├── corelight-ecs-sip-pipeline ├── corelight-ecs-smb_files-pipeline ├── corelight-ecs-smb_mapping-pipeline ├── corelight-ecs-smtp-pipeline ├── corelight-ecs-smtp_links-pipeline ├── corelight-ecs-snmp-pipeline ├── corelight-ecs-socks-pipeline ├── corelight-ecs-software-pipeline ├── corelight-ecs-software_red-pipeline ├── corelight-ecs-specific_dns_tunnels-pipeline ├── corelight-ecs-ssdp-pipeline ├── corelight-ecs-ssh-pipeline ├── corelight-ecs-ssl-pipeline ├── corelight-ecs-ssl_red-pipeline ├── corelight-ecs-stepping-pipeline ├── corelight-ecs-stun-pipeline ├── corelight-ecs-stun_nat-pipeline ├── corelight-ecs-suricata_corelight-pipeline ├── corelight-ecs-syslog-pipeline ├── corelight-ecs-tds-pipeline ├── corelight-ecs-tds_rpc-pipeline ├── corelight-ecs-tds_sql_batch-pipeline ├── corelight-ecs-telnet-pipeline ├── corelight-ecs-traceroute-pipeline ├── corelight-ecs-tunnel-pipeline ├── corelight-ecs-unknown_mime_type_discovery-pipeline ├── corelight-ecs-vpn-pipeline ├── corelight-ecs-websockets-pipeline ├── corelight-ecs-weird-pipeline ├── corelight-ecs-weird_red-pipeline ├── corelight-ecs-wireguard-pipeline ├── corelight-ecs-x509-pipeline └── corelight-ecs-x509_red-pipeline /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | .DS_Store 3 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2022 by Corelight, Inc 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2019, Corelight, Inc. 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Corelight ECS Ingest Pipeline 2 | The repository is compromised of Ingest Pipeline files required to be used with the installer script in the repository 3 | https://github.com/corelight/ecs-templates 4 | 5 | The installer in that repository will download the files from this repository therefore using this repository directly is not required nor recommended. 6 | 7 | # License 8 | The files and automation script are open-source under a BSD license. See ``COPYING``for details. 9 | 10 | 11 | # Github Repository Definitions 12 | 13 | ## Elasticsearch templates 14 | https://github.com/corelight/ecs-templates 15 | - Elasticsearch index templates, component templates, ilm policies, settings, and mappings 16 | - Install Script 17 | 18 | ## Logstash Pipelines 19 | https://github.com/corelight/ecs-logstash-mappings 20 | - Logstash pipeline configurations 21 | 22 | ## Ingest Pipelines (This Repository) 23 | https://github.com/corelight/ecs-mapping 24 | - Ingest pipeline configurations 25 | 26 | ## Kibana Dashboards and Visualizations 27 | https://github.com/corelight/ecs-dashboards 28 | 29 | ## Kibana Security Rules and Alerts 30 | https://github.com/corelight/Elasticsearch_rules 31 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-common-main-set_index_prefix_and_suffix-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for setting the index prefix/suffix. Common parsings amongst each data/log type. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "description": "Start off as unknown protocol log. Later on in the pipeline appropriate variable will be set.", 8 | "field": "temporary_metadata_index_name_type", 9 | "value": "VAR_CL_DS_TYPE_UNKNOWN_LOG" 10 | } 11 | }, 12 | { 13 | "set": { 14 | "description": "Start off as unknown protocol log. Later on in the pipeline appropriate variable will be set.", 15 | "field": "temporary_metadata_index_name_dataset_prefix", 16 | "value": "VAR_CL_DS_PREFIX_UNKNOWN_LOG" 17 | } 18 | }, 19 | { 20 | "set": { 21 | "description": "Start off as unknown protocol log. Later on in the pipeline appropriate variable will be set.", 22 | "field": "temporary_metadata_index_name_dataset_suffix", 23 | "value": "VAR_CL_DS_SUFFIX_UNKNOWN_LOG" 24 | } 25 | }, 26 | { 27 | "set": { 28 | "description": "Start off as unknown protocol log. Later on in the pipeline appropriate variable will be set.", 29 | "field": "temporary_metadata_index_name_namespace", 30 | "value": "VAR_CL_DS_NAMESPACE_UNKNOWN_LOG" 31 | } 32 | } 33 | ] 34 | } 35 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-common-metric-metrics_stats-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for Metric logs (metrics and stats logs). This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "temporary_metadata_is_protocol_log", 8 | "value": "no", 9 | "override": true 10 | } 11 | }, 12 | { 13 | "set": { 14 | "field": "event.kind", 15 | "value": "metric" 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.category", 21 | "value": "metrics", 22 | "override": true 23 | } 24 | }, 25 | { 26 | "set": { 27 | "field": "event.type", 28 | "value": "info" 29 | } 30 | }, 31 | { 32 | "set": { 33 | "field": "labels.corelight.event_category", 34 | "value": "diagnostics" 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_type", 40 | "value": "VAR_CL_DS_TYPE_METRIC_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_prefix", 47 | "value": "VAR_CL_DS_PREFIX_METRIC_LOG", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_dataset_suffix", 54 | "value": "VAR_CL_DS_SUFFIX_METRIC_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "set": { 60 | "field": "temporary_metadata_index_name_namespace", 61 | "value": "VAR_CL_DS_NAMESPACE_METRIC_LOG", 62 | "ignore_failure": false 63 | } 64 | }, 65 | { 66 | "pipeline": { 67 | "name": "corelight-ecs-reuse-replace_dotted_fields_with_underscore-pipeline", 68 | "ignore_failure": true 69 | } 70 | } 71 | //{ 72 | // "pipeline": { 73 | // "name": "corelight-ecs-corelight_metrics_utilization-pipeline", 74 | // "if": "ctx.labels?.corelight?.event_sub_type == 'corelight_metrics_utilization'" 75 | // } 76 | //}, 77 | //{ 78 | // "pipeline": { 79 | // "name": "corelight-ecs-corelight_weird_stats-pipeline", 80 | // "if": "ctx.labels?.corelight?.event_sub_type == 'corelight_weird_stats'" 81 | // } 82 | //}, 83 | //{ 84 | // "pipeline": { 85 | // "name": "corelight-ecs-namecache-pipeline", 86 | // "if": "ctx.labels?.corelight?.event_sub_type == 'namecache'" 87 | // } 88 | //}, 89 | //{ 90 | // "pipeline": { 91 | // "name": "corelight-ecs-reporter-pipeline", 92 | // "if": "ctx.labels?.corelight?.event_sub_type == 'reporter'" 93 | // } 94 | //}, 95 | //{ 96 | // "pipeline": { 97 | // "name": "corelight-ecs-stats-pipeline", 98 | // "if": "ctx.labels?.corelight?.event_sub_type == 'stats'" 99 | // } 100 | //}, 101 | //{ 102 | // "pipeline": { 103 | // "name": "corelight-ecs-suricata_stats-pipeline", 104 | // "if": "ctx.labels?.corelight?.event_sub_type == 'suricata_stats'" 105 | // } 106 | //}, 107 | //{ 108 | // "pipeline": { 109 | // "name": "corelight-ecs-weird_stats-pipeline", 110 | // "if": "ctx.labels?.corelight?.event_sub_type == 'weird_stats'" 111 | // } 112 | //} 113 | ] 114 | } 115 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-common-system-iam_netcontrol_system_audit-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for System logs (system, iam, and netcontrol logs). This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "temporary_metadata_is_protocol_log", 8 | "value": "no", 9 | "override": true 10 | } 11 | }, 12 | { 13 | "set": { 14 | "field": "event.kind", 15 | "value": "event" 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.category", 21 | "value": "system", 22 | "override": true 23 | } 24 | }, 25 | { 26 | "set": { 27 | "field": "event.type", 28 | "value": "info" 29 | } 30 | }, 31 | { 32 | "set": { 33 | "field": "labels.corelight.event_category", 34 | "value": "diagnostics" 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_type", 40 | "value": "VAR_CL_DS_TYPE_SYSTEM_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_prefix", 47 | "value": "VAR_CL_DS_PREFIX_SYSTEM_LOG", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_dataset_suffix", 54 | "value": "VAR_CL_DS_SUFFIX_SYSTEM_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "set": { 60 | "field": "temporary_metadata_index_name_namespace", 61 | "value": "VAR_CL_DS_NAMESPACE_SYSTEM_LOG", 62 | "ignore_failure": false 63 | } 64 | }, 65 | { 66 | "pipeline": { 67 | "name": "corelight-ecs-reuse-replace_dotted_fields_with_underscore-pipeline", 68 | "ignore_failure": true 69 | } 70 | }, 71 | { 72 | "set": { 73 | "description": "Set a few different event.category that are iam", 74 | "field": "event.category", 75 | "value": [ "system", "iam" ], 76 | "if": "ctx?.labels?.corelight?.event_sub_type != null && [ 'audit', 'auditlog', 'corelight_audit_log' ].contains(ctx.labels?.corelight?.event_sub_type)" 77 | } 78 | }, 79 | { 80 | "set": { 81 | "description": "Set netcontrol labels.corelight.event_sub_type", 82 | "field": "event.category", 83 | "value": [ "system", "iam" ], 84 | "if": "ctx?.labels?.corelight?.event_sub_type != null && [ 'netcontrol', 'netcontrol_drop', 'netcontrol_shunt', 'openflow' ].contains(ctx.labels?.corelight?.event_sub_type)" 85 | } 86 | } 87 | ] 88 | } 89 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-postprocess-call_enrichments-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for post processing to call enrichment ingest pipelines. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-postprocess-enrich-destination.domain-pipeline", 8 | "ignore_missing_pipeline": false, 9 | "ignore_failure": true, 10 | "if": "ctx?.destination instanceof Map && ctx.destination?.domain != null" 11 | } 12 | }, 13 | { 14 | "pipeline": { 15 | "name": "corelight-ecs-postprocess-enrich-geoip-destination.ip-pipeline", 16 | "ignore_missing_pipeline": false, 17 | "ignore_failure": true, 18 | "if": "ctx?.destination instanceof Map && ctx.destination?.ip != null" 19 | } 20 | }, 21 | { 22 | "pipeline": { 23 | "name": "corelight-ecs-postprocess-enrich-geoip-host.ip-pipeline", 24 | "ignore_missing_pipeline": false, 25 | "ignore_failure": true, 26 | "if": "ctx?.host instanceof Map && ctx.host?.ip != null" 27 | } 28 | }, 29 | { 30 | "pipeline": { 31 | "name": "corelight-ecs-postprocess-enrich-geoip-source.ip-pipeline", 32 | "ignore_missing_pipeline": false, 33 | "ignore_failure": true, 34 | "if": "ctx?.source instanceof Map && ctx.source?.ip != null" 35 | } 36 | }, 37 | { 38 | "pipeline": { 39 | "name": "corelight-ecs-postprocess-enrich-url-pipeline", 40 | "ignore_missing_pipeline": false, 41 | "ignore_failure": true, 42 | "if": "ctx?.url instanceof Map && ctx.url?.original != null" 43 | } 44 | }, 45 | { 46 | "pipeline": { 47 | "name": "corelight-ecs-postprocess-enrich-user_agent-pipeline", 48 | "ignore_missing_pipeline": false, 49 | "ignore_failure": true, 50 | "if": "ctx?.user_agent instanceof Map && ctx.user_agent?.original != null" 51 | } 52 | } 53 | ] 54 | } 55 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-postprocess-enrich-destination.domain-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for destination.domain. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "script": { 7 | "lang": "painless", 8 | "description": "Add length of destination.domain", 9 | "source": "ctx.destination.domain_length = ctx.destination.domain.length()", 10 | "ignore_failure": true 11 | } 12 | }, 13 | { 14 | "script": { 15 | "lang": "painless", 16 | "source": "ctx.destination.top_level_domain = ctx.destination.domain.substring(ctx.destination.domain.lastIndexOf('.')+1)", 17 | "ignore_failure": true 18 | } 19 | }, 20 | { 21 | "script": { 22 | "lang": "painless", 23 | "source": "ctx.temp_without_top_level = ctx.destination.domain.substring(0,(ctx.destination.domain.lastIndexOf('.')))", 24 | "ignore_failure": true 25 | } 26 | }, 27 | { 28 | "script": { 29 | "lang": "painless", 30 | "source": "ctx.destination.parent_domain = ctx.temp_without_top_level.substring(ctx.temp_without_top_level.lastIndexOf('.') + 1)", 31 | "ignore_failure": true, 32 | "if": "ctx.temp_without_top_level != null" 33 | } 34 | }, 35 | { 36 | "script": { 37 | "lang": "painless", 38 | "source": "ctx.destination.subdomain = ctx.temp_without_top_level.substring(0,(ctx.temp_without_top_level.lastIndexOf('.')))", 39 | "ignore_failure": true, 40 | "if": "ctx.temp_without_top_level != null" 41 | } 42 | }, 43 | { 44 | "script": { 45 | "lang": "painless", 46 | "source": "ctx.destination.registered_domain = ctx.destination.parent_domain + '.' + ctx.destination.top_level_domain", 47 | "ignore_failure": true, 48 | "if": "ctx.destination?.parent_domain != null" 49 | } 50 | }, 51 | { 52 | "remove": { 53 | "field": [ "temp_without_top_level" ], 54 | "ignore_failure": true, 55 | "ignore_missing": true 56 | } 57 | } 58 | ] 59 | } 60 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-postprocess-enrich-geoip-destination.ip-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for destination.ip Geo IP and Geo ASN enrichment. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "geoip": { 7 | "field": "destination.ip", 8 | "target_field": "destination.geo", 9 | "ignore_missing": true 10 | } 11 | }, 12 | { 13 | "geoip": { 14 | "database_file": "GeoLite2-ASN.mmdb", 15 | "field": "destination.ip", 16 | "target_field": "destination.as", 17 | "ignore_missing": true 18 | } 19 | }, 20 | { 21 | "rename": { 22 | "field": "destination.as.asn", 23 | "target_field": "destination.as.number", 24 | "ignore_failure": true, 25 | "ignore_missing": true 26 | } 27 | }, 28 | { 29 | "rename": { 30 | "field": "destination.as.organization_name", 31 | "target_field": "destination.as.organization.name", 32 | "ignore_failure": true, 33 | "ignore_missing": true 34 | } 35 | } 36 | ] 37 | } 38 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-postprocess-enrich-geoip-host.ip-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for host.ip Geo IP and Geo ASN enrichment. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "geoip": { 7 | "field": "host.ip", 8 | "target_field": "host.geo", 9 | "ignore_missing": true 10 | } 11 | }, 12 | { 13 | "geoip": { 14 | "database_file": "GeoLite2-ASN.mmdb", 15 | "field": "host.ip", 16 | "target_field": "host.as", 17 | "ignore_missing": true 18 | } 19 | }, 20 | { 21 | "rename": { 22 | "field": "host.as.asn", 23 | "target_field": "host.as.number", 24 | "ignore_failure": true, 25 | "ignore_missing": true 26 | } 27 | }, 28 | { 29 | "rename": { 30 | "field": "host.as.organization_name", 31 | "target_field": "host.as.organization.name", 32 | "ignore_failure": true, 33 | "ignore_missing": true 34 | } 35 | } 36 | ] 37 | } 38 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-postprocess-enrich-geoip-source.ip-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for source.ip Geo IP and Geo ASN enrichment. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "geoip": { 7 | "field": "source.ip", 8 | "target_field": "source.geo", 9 | "ignore_missing": true 10 | } 11 | }, 12 | { 13 | "geoip": { 14 | "database_file": "GeoLite2-ASN.mmdb", 15 | "field": "source.ip", 16 | "target_field": "source.as", 17 | "ignore_missing": true 18 | } 19 | }, 20 | { 21 | "rename": { 22 | "field": "source.as.asn", 23 | "target_field": "source.as.number", 24 | "ignore_failure": true, 25 | "ignore_missing": true 26 | } 27 | }, 28 | { 29 | "rename": { 30 | "field": "source.as.organization_name", 31 | "target_field": "source.as.organization.name", 32 | "ignore_failure": true, 33 | "ignore_missing": true 34 | } 35 | } 36 | ] 37 | } 38 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-postprocess-enrich-url-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for url. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "script": { 7 | "lang": "painless", 8 | "description": "Add length of url.original", 9 | "source": "ctx.url.original_length = ctx.url.original.length()", 10 | "ignore_failure": true, 11 | "if": "ctx.url?.original != null" 12 | } 13 | }, 14 | { 15 | "script": { 16 | "lang": "painless", 17 | "description": "Add length of url.domain", 18 | "source": "ctx.url.domain_length = ctx.url.domain.length()", 19 | "ignore_failure": true, 20 | "if": "ctx.url?.domain != null" 21 | } 22 | } 23 | ] 24 | } 25 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-postprocess-enrich-user_agent-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for user_agent. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "script": { 7 | "description": "Add length of user_agent.original", 8 | "lang": "painless", 9 | "source": "ctx.user_agent.original_length = ctx.user_agent.original.length()", 10 | "ignore_failure": true 11 | } 12 | } 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-postprocess-final-main-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for the final post processing. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "description": "Set _index name", 8 | "name": "corelight-ecs-postprocess-final-set_index-pipeline" 9 | } 10 | }, 11 | { 12 | "rename": { 13 | "field": "temp_host", 14 | "target_field": "labels.corelight.logstash_input_host_listening_ip", 15 | "ignore_failure": true, 16 | "if": "ctx.temp_host != null" 17 | } 18 | }, 19 | { 20 | "rename": { 21 | "field": "temp_port", 22 | "target_field": "labels.corelight.logstash_input_host_listening_port", 23 | "ignore_failure": true, 24 | "if": "ctx.temp_port != null" 25 | } 26 | }, 27 | { 28 | "remove": { 29 | "field": [ 30 | "custom_temporary_metadata_index_name_namespace", 31 | "temporary_metadata_index_name_dataset_prefix", 32 | "temporary_metadata_index_name_dataset_suffix", 33 | "temporary_metadata_index_name_namespace", 34 | "temporary_metadata_index_name_prefix", 35 | "temporary_metadata_index_name_type", 36 | "temporary_metadata_is_protocol_log" 37 | ], 38 | "ignore_failure": true, 39 | "ignore_missing": true 40 | } 41 | } 42 | ] 43 | } 44 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-postprocess-final-set_index-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for final _index naming. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "description": "Set 'data_stream.namespace' if it's not already set. If it is already was set this would mean the user wants to set namespace and has already set it (ie: for multiple customers to differentiate) else can use 'custom_temporary_metadata_index_name_namespace'.", 8 | "field": "data_stream.namespace", 9 | "copy_from": "temporary_metadata_index_name_namespace", 10 | "if": "ctx?.data_stream?.namespace == null" 11 | } 12 | }, 13 | { 14 | "set": { 15 | "description": "Set data_stream fields 'data_stream.type'.", 16 | "field": "data_stream.type", 17 | "copy_from": "temporary_metadata_index_name_type" 18 | } 19 | }, 20 | { 21 | "set": { 22 | "description": "Set data_stream fields 'data_stream.dataset'.", 23 | "field": "data_stream.dataset", 24 | "value": "{{{temporary_metadata_index_name_dataset_prefix}}}.{{{temporary_metadata_index_name_dataset_suffix}}}" 25 | } 26 | }, 27 | { 28 | "set": { 29 | "description": "User wants to set namespace and has already set it, therefore override/set 'temporary_metadata_index_name_namespace'.", 30 | "field": "temporary_metadata_index_name_namespace", 31 | "copy_from": "custom_temporary_metadata_index_name_namespace", 32 | "ignore_empty_value": true, 33 | "if": "ctx?.custom_temporary_metadata_index_name_namespace != null" 34 | } 35 | }, 36 | { 37 | "set": { 38 | "description": "User wants to set namespace and has already set it, therefore override/set 'data_stream.namespace'.", 39 | "field": "data_stream.namespace", 40 | "copy_from": "custom_temporary_metadata_index_name_namespace", 41 | "ignore_empty_value": true, 42 | "if": "ctx?.custom_temporary_metadata_index_name_namespace != null" 43 | } 44 | }, 45 | { 46 | "set": { 47 | "description": "Set final _index name.", 48 | "field": "_index", 49 | "value": "{{{temporary_metadata_index_name_type}}}-{{{temporary_metadata_index_name_dataset_prefix}}}.{{{temporary_metadata_index_name_dataset_suffix}}}-{{{temporary_metadata_index_name_namespace}}}" 50 | } 51 | } 52 | ] 53 | } 54 | 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-postprocess-parse_failures-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for handling logs that have critical parse failures that could prevent field collisions and other improper handling of data that could cause issues in mappings/fields/values. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.ingested", 8 | "value": "{{{_ingest.timestamp}}}", 9 | "if": "ctx.event?.ingested == null" 10 | } 11 | }, 12 | { 13 | "set": { 14 | "field": "@timestamp", 15 | "value": "{{{event.ingested}}}", 16 | "if": "ctx['@timestamp'] == null" 17 | } 18 | }, 19 | { 20 | "set": { 21 | "field": "event.kind", 22 | "value": "pipeline_error" 23 | } 24 | }, 25 | { 26 | "remove": { 27 | "field": "id", 28 | "ignore_failure": true, 29 | "ignore_missing": true 30 | } 31 | }, 32 | { 33 | "pipeline": { 34 | "description": "Set naming for parse_failures", 35 | "name": "corelight-ecs-postprocess-parse_failures-set_index_prefix_and_suffix-pipeline", 36 | "ignore_missing_pipeline": false 37 | } 38 | } 39 | ] 40 | } 41 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-postprocess-parse_failures-set_index_prefix_and_suffix-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for naming parse failures index. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "temporary_metadata_index_name_type", 8 | "value": "VAR_CL_DS_TYPE_PARSE_FAILURES_LOG", 9 | "ignore_failure": false 10 | } 11 | }, 12 | { 13 | "set": { 14 | "field": "temporary_metadata_index_name_dataset_prefix", 15 | "value": "VAR_CL_DS_PREFIX_PARSE_FAILURES_LOG", 16 | "ignore_failure": false 17 | } 18 | }, 19 | { 20 | "set": { 21 | "field": "temporary_metadata_index_name_dataset_suffix", 22 | "value": "VAR_CL_DS_SUFFIX_PARSE_FAILURES_LOG", 23 | "ignore_failure": false 24 | } 25 | }, 26 | { 27 | "set": { 28 | "field": "temporary_metadata_index_name_namespace", 29 | "value": "VAR_CL_DS_NAMESPACE_PARSE_FAILURES_LOG", 30 | "ignore_failure": false 31 | } 32 | } 33 | ] 34 | } 35 | -------------------------------------------------------------------------------- /pipeline/corelight-ecs-reuse-replace_dotted_fields_with_underscore-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for replacing dots in fields with underscores (Remove infinite dotted fields and replace with underscore). This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "processors" : [ 4 | { 5 | "script": { 6 | "lang": "painless", 7 | "source": "\n // Create a map to hold new field values\n def newFields = new HashMap();\n \n // Create a list to hold field names to be removed\n def fieldsToRemove = new ArrayList();\n \n // Iterate over the document fields\n for (def entry : ctx.entrySet()) {\n def key = entry.getKey();\n \n // Check if field name contains a dot\n if (key.contains('.')) {\n // Replace dots with underscores in the field name\n def newKey = key.replace('.', '_');\n //def newKey = key.replaceAll('.{2,}', '_');\n \n // Add the new field name and value to the map\n newFields.put(newKey, entry.getValue());\n \n // Mark the original field for removal\n fieldsToRemove.add(key);\n }\n }\n \n // Apply the new fields\n for (def newField : newFields.entrySet()) {\n ctx.put(newField.getKey(), newField.getValue());\n }\n \n // Remove the original fields\n for (def field : fieldsToRemove) {\n ctx.remove(field);\n }\n ", 8 | "ignore_failure": true 9 | } 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /pipeline/log_specific/metric_and_system_logs/metric/corelight-ecs-corelight_metrics_utilization-pipeline.disabled: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'corelight_metrics_utilization' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.\"", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "rename": { 7 | "field": "smartpcap", 8 | "target_field": "utilization.corelight.smartpcap", 9 | "ignore_failure": true 10 | } 11 | }, 12 | { 13 | "rename": { 14 | "field": "suricata", 15 | "target_field": "utilization.corelight.suricata", 16 | "ignore_failure": true 17 | } 18 | }, 19 | { 20 | "rename": { 21 | "field": "sensor", 22 | "target_field": "utilization.corelight.sensor", 23 | "ignore_failure": true 24 | } 25 | } 26 | ] 27 | } 28 | -------------------------------------------------------------------------------- /pipeline/log_specific/metric_and_system_logs/metric/corelight-ecs-corelight_weird_stats-pipeline.disabled: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'corelight_weird_stats' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "rename": { 7 | "field": "name", 8 | "target_field": "weird_name", 9 | "ignore_missing": true 10 | } 11 | }, 12 | { 13 | "rename": { 14 | "field": "num_seen", 15 | "target_field": "weird_num_seen", 16 | "ignore_missing": true 17 | } 18 | } 19 | ] 20 | } 21 | -------------------------------------------------------------------------------- /pipeline/log_specific/metric_and_system_logs/metric/corelight-ecs-reporter-pipeline.disabled: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'reporter' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "rename": { 7 | "field": "level", 8 | "target_field": "reporter.level", 9 | "ignore_missing": true 10 | } 11 | }, 12 | { 13 | "rename": { 14 | "field": "location", 15 | "target_field": "reporter.location", 16 | "ignore_missing": true 17 | } 18 | }, 19 | { 20 | "rename": { 21 | "field": "message", 22 | "target_field": "reporter.message", 23 | "ignore_missing": true 24 | } 25 | } 26 | ] 27 | } 28 | -------------------------------------------------------------------------------- /pipeline/log_specific/metric_and_system_logs/metric/corelight-ecs-suricata_stats-pipeline.disabled: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'suricata_stats' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "json": { 7 | "field": "raw_mgmt", 8 | "target_field": "suricata_stats", 9 | "ignore_failure": false 10 | } 11 | }, 12 | { 13 | "date": { 14 | "field": "suricata_stats.timestamp", 15 | "target_field": "@timestamp", 16 | "formats": ["ISO8601"], 17 | "ignore_failure": true, 18 | "if": "ctx?.suricata_stats?.timestamp != null" 19 | } 20 | } 21 | ] 22 | } 23 | -------------------------------------------------------------------------------- /pipeline/log_specific/metric_and_system_logs/metric/corelight-ecs-weird_stats-pipeline.disabled: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'weird_stats' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-corelight_weird_stats-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-analyzer-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'reporter' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2025042201, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "error" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "analyzer_kind", 61 | "target_field": "analyzer.analyzer_kind", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "analyzer_name", 68 | "target_field": "analyzer.analyzer_name", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "cause", 75 | "target_field": "analyzer.cause", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "failure_data", 82 | "target_field": "analyzer.failure_data", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "failure_reason", 89 | "target_field": "analyzer.failure_reason", 90 | "ignore_missing": true 91 | } 92 | } 93 | ] 94 | } -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-bacnet-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'bacnet' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "is_orig", 61 | "target_field": "bacnet.is_orig", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "bvlc_function", 68 | "target_field": "bacnet.bvlc_function", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "pdu_type", 75 | "target_field": "bacnet.pdu_type", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "pdu_service", 82 | "target_field": "bacnet.pdu_service", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "invoke_id", 89 | "target_field": "bacnet.invoke_id", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "result_code", 96 | "target_field": "bacnet.result_code", 97 | "ignore_missing": true 98 | } 99 | } 100 | ] 101 | } 102 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-bacnet_discovery-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'bacnet_discovery' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "is_orig", 61 | "target_field": "bacnet.is_orig", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "pdu_service", 68 | "target_field": "bacnet.pdu_service", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "object_type", 75 | "target_field": "bacnet.object_type ", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "instance_number", 82 | "target_field": "bacnet.instance_number", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "range", 89 | "target_field": "bacnet.range", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "vendor", 96 | "target_field": "bacnet.vendor", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "object_name", 103 | "target_field": "bacnet.object_name", 104 | "ignore_missing": true 105 | } 106 | } 107 | ] 108 | } 109 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-bacnet_property-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'bacnet_property' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "is_orig", 61 | "target_field": "bacnet.is_orig", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "pdu_service", 68 | "target_field": "bacnet.pdu_service", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "object_type", 75 | "target_field": "bacnet.object_type ", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "instance_number", 82 | "target_field": "bacnet.instance_number", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "range", 89 | "target_field": "bacnet.range", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "vendor", 96 | "target_field": "bacnet.vendor", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "object_name", 103 | "target_field": "bacnet.object_name", 104 | "ignore_missing": true 105 | } 106 | } 107 | ] 108 | } 109 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-bsap_ip_header-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'bsap_ip_header' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "num_msg", 61 | "target_field": "bsap.num_msg", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "type_name", 68 | "target_field": "bsap.type_name", 69 | "ignore_missing": true 70 | } 71 | } 72 | ] 73 | } 74 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-bsap_ip_unknown-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'bsap_ip_unknown' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "data", 61 | "target_field": "bsap.data", 62 | "ignore_missing": true 63 | } 64 | } 65 | ] 66 | } 67 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-bsap_serial_header-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'bsap_serial_header' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "ser", 61 | "target_field": "bsap.ser", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "dadd", 68 | "target_field": "bsap.dadd", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "sadd", 75 | "target_field": "bsap.sadd", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "ctl", 82 | "target_field": "bsap.ctl", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "dfun", 89 | "target_field": "bsap.dfun", 90 | "ignore_missing": true 91 | } 92 | },{ 93 | "rename": { 94 | "field": "seq", 95 | "target_field": "bsap.seq", 96 | "ignore_missing": true 97 | } 98 | }, 99 | { 100 | "rename": { 101 | "field": "sfun", 102 | "target_field": "bsap.sfun", 103 | "ignore_missing": true 104 | } 105 | }, 106 | { 107 | "rename": { 108 | "field": "nsb", 109 | "target_field": "bsap.nsb", 110 | "ignore_missing": true 111 | } 112 | }, 113 | { 114 | "rename": { 115 | "field": "type_name", 116 | "target_field": "bsap.type_name", 117 | "ignore_missing": true 118 | } 119 | } 120 | ] 121 | } 122 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-bsap_serial_rdb-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'bsap_serial_rdb' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "func_code", 61 | "target_field": "bsap.func_code", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "variable_count", 68 | "target_field": "bsap.variable_count", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "variables", 75 | "target_field": "bsap.variables", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "variable_value", 82 | "target_field": "bsap.variable_value", 83 | "ignore_missing": true 84 | } 85 | } 86 | ] 87 | } 88 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-bsap_serial_rdb_ext-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'bsap_serial_rdb_ext' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "dfun", 61 | "target_field": "bsap.dfun", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "seq", 68 | "target_field": "bsap.seq", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "sfun", 75 | "target_field": "bsap.sfun", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "nsb", 82 | "target_field": "bsap.nsb", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "extfun", 89 | "target_field": "bsap.extfun", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "data", 96 | "target_field": "bsap.data", 97 | "ignore_missing": true 98 | } 99 | } 100 | ] 101 | } 102 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-bsap_serial_unknown-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'bsap_serial_unknown' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "data", 61 | "target_field": "bsap.data", 62 | "ignore_missing": true 63 | } 64 | } 65 | ] 66 | } 67 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-cip_io-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'cip_io' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "is_orig", 61 | "target_field": "cip.is_orig", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "connection_id", 68 | "target_field": "cip.connection_id", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "sequence_number", 75 | "target_field": "cip.sequence_number", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "data_length", 82 | "target_field": "cip.data_length", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "io_data", 89 | "target_field": "cip.io_data", 90 | "ignore_missing": true 91 | } 92 | } 93 | ] 94 | } 95 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-conn_agg-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'conn_agg' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2025013001, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-conn-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-conn_long-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'conn_long' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-conn-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-conn_red-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'conn_red' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-conn-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-corelight_ml_results-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline 'corelight_ml_results' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-ml_results-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-cotp-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'cotp' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "is_orig", 61 | "target_field": "cotp.is_orig", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "pdu_code", 68 | "target_field": "cotp.pdu_code", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "pdu_name", 75 | "target_field": "cotp.pdu_name", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "pdu_type", 82 | "target_field": "cotp.pdu_type", 83 | "ignore_missing": true 84 | } 85 | } 86 | ] 87 | } 88 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-dce_rpc-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'dce_rpc' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "endpoint", 61 | "target_field": "dce_rpc.endpoint", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "named_pipe", 68 | "target_field": "dce_rpc.named_pipe", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "operation", 75 | "target_field": "dce_rpc.operation", 76 | "ignore_failure": true 77 | } 78 | }, 79 | { 80 | "set": { 81 | "field": "rtt", 82 | "value": "{{{dce_rpc.rtt}}}", 83 | "ignore_failure": true 84 | } 85 | }, 86 | { 87 | "convert": { 88 | "field": "rtt", 89 | "type": "float", 90 | "ignore_failure": true 91 | } 92 | }, 93 | { 94 | "script": { 95 | "lang": "painless", 96 | "source": "ctx.event.duration = (long)(ctx.rtt * params.param_c)", 97 | "params": { 98 | "param_c": 1000000000 99 | }, 100 | "ignore_failure": true 101 | } 102 | }, 103 | { 104 | "rename": { 105 | "field": "rtt", 106 | "target_field": "dce_rpc.rtt", 107 | "ignore_failure": true 108 | } 109 | }, 110 | { 111 | "set": { 112 | "field": "network.transport", 113 | "value": "tcp", 114 | "ignore_failure": true 115 | } 116 | }, 117 | { 118 | "remove": { 119 | "field": "id", 120 | "ignore_failure": true, 121 | "ignore_missing": true 122 | } 123 | } 124 | ] 125 | } 126 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-dnp3-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'dnp3' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "proto", 61 | "target_field": "network.transport", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "fc_reply", 68 | "target_field": "dnp3.fc_reply", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "fc_request", 75 | "target_field": "dnp3.fc_request", 76 | "ignore_failure": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "iin", 82 | "target_field": "dnp3.iin", 83 | "ignore_failure": true 84 | } 85 | }, 86 | { 87 | "remove": { 88 | "ignore_failure": true, 89 | "ignore_missing": true, 90 | "field": "id" 91 | } 92 | } 93 | ] 94 | } 95 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-dnp3_objects-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'dnp3_objects' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "object_type", 61 | "target_field": "dnp3.object_type", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "function_code", 68 | "target_field": "bsap.function_code", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "object_count", 75 | "target_field": "bsap.object_count", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "range_low", 82 | "target_field": "bsap.range_low", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "range_high", 89 | "target_field": "bsap.range_high", 90 | "ignore_missing": true 91 | } 92 | } 93 | ] 94 | } 95 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-dns_agg-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'dns_agg' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2025013001, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-dns-pipeline" 8 | } 9 | } 10 | ] 11 | } -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-dns_red-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'dns_red' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-dns-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-dpd-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'dpd' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": "info" 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "miscellaneous" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "proto", 61 | "target_field": "network.transport", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "analyzer", 68 | "target_field": "dpd.analyzer", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "failure_reason", 75 | "target_field": "dpd.failure_reason", 76 | "ignore_failure": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "packet_segment", 82 | "target_field": "dpd.packet_segment", 83 | "ignore_failure": true 84 | } 85 | }, 86 | { 87 | "remove": { 88 | "ignore_failure": true, 89 | "ignore_missing": true, 90 | "field": "id" 91 | } 92 | } 93 | ] 94 | } 95 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-ecat_aoe_info-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'ecat_aoe_info' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "targetid", 61 | "target_field": "ecat.targetid", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "targetport", 68 | "target_field": "destination.port", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "senderid", 75 | "target_field": "ecat.senderid", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "senderport", 82 | "target_field": "source.port", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "cmd", 89 | "target_field": "ecat.cmd", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "stateflags", 96 | "target_field": "ecat.stateflags", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "data", 103 | "target_field": "ecat.data", 104 | "ignore_missing": true 105 | } 106 | } 107 | ] 108 | } 109 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-ecat_arp_info-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'ecat_arp_info' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "arp_type", 61 | "target_field": "ecat.opcode", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "mac_src", 68 | "target_field": "source.mac", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "mac_dst", 75 | "target_field": "destination.mac", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "spa", 82 | "target_field": "ecat.spa", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "sha", 89 | "target_field": "ecat.sha", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "tpa", 96 | "target_field": "ecat.tpa", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "tha", 103 | "target_field": "ecat.tha", 104 | "ignore_missing": true 105 | } 106 | } 107 | ] 108 | } 109 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-ecat_coe_info-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'ecat_coe_info' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "number", 61 | "target_field": "ecat.number", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "type", 68 | "target_field": "ecat.type", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "req_resp", 75 | "target_field": "ecat.req_resp", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "index", 82 | "target_field": "ecat.index", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "subindex", 89 | "target_field": "ecat.subindex", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "dataoffset", 96 | "target_field": "ecat.dataoffset", 97 | "ignore_missing": true 98 | } 99 | } 100 | ] 101 | } 102 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-ecat_dev_info-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'ecat_dev_info' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "slave_id", 61 | "target_field": "ecat.slave_id", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "revision", 68 | "target_field": "ecat.revision", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "dev_type", 75 | "target_field": "ecat.dev_type", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "build", 82 | "target_field": "ecat.build", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "fmmucnt", 89 | "target_field": "ecat.fmmucnt", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "smcount", 96 | "target_field": "ecat.smcount", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "ports", 103 | "target_field": "ecat.ports", 104 | "ignore_missing": true 105 | } 106 | }, 107 | { 108 | "rename": { 109 | "field": "dpram", 110 | "target_field": "ecat.dpram", 111 | "ignore_missing": true 112 | } 113 | }, 114 | { 115 | "rename": { 116 | "field": "features", 117 | "target_field": "ecat.features", 118 | "ignore_missing": true 119 | } 120 | } 121 | ] 122 | } 123 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-ecat_foe_info-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'ecat_foe_info' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "opcode", 61 | "target_field": "ecat.opcode", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "reserved", 68 | "target_field": "ecat.reserved", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "packet_num", 75 | "target_field": "ecat.packet_num", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "error_code", 82 | "target_field": "ecat.error_code", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "filename", 89 | "target_field": "ecat.filename", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "data", 96 | "target_field": "ecat.data", 97 | "ignore_missing": true 98 | } 99 | } 100 | ] 101 | } 102 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-ecat_log_address-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'ecat_log_address' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "srcmac", 61 | "target_field": "source.mac", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "dstmac", 68 | "target_field": "destination.mac", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "log_addr", 75 | "target_field": "ecat.log_addr", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "length", 82 | "target_field": "ecat.length", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "command", 89 | "target_field": "ecat.command", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "data", 96 | "target_field": "ecat.data", 97 | "ignore_missing": true 98 | } 99 | } 100 | ] 101 | } 102 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-ecat_registers-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'ecat_registers' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "srcmac", 61 | "target_field": "source.mac", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "dstmac", 68 | "target_field": "destination.mac", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "command", 75 | "target_field": "ecat.command", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "slave_addr", 82 | "target_field": "ecat.slave_addr", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "register_type", 89 | "target_field": "ecat.register_type", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "register_Addr", 96 | "target_field": "ecat.register_addr", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "data", 103 | "target_field": "ecat.data", 104 | "ignore_missing": true 105 | } 106 | } 107 | ] 108 | } 109 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-ecat_soe_info-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'ecat_soe_info' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "opcode", 61 | "target_field": "ecat.opcode", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "incomplete", 68 | "target_field": "ecat.incomplete", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "error", 75 | "target_field": "ecat.error", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "drive_num", 82 | "target_field": "ecat.drive_num", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "element_flags", 89 | "target_field": "ecat.element_flags", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "index", 96 | "target_field": "ecat.index", 97 | "ignore_missing": true 98 | } 99 | } 100 | ] 101 | } 102 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-enip-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'enip' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "is_orig", 61 | "target_field": "enip.is_orig", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "enip_command_code", 68 | "target_field": "enip.enip_command_code", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "command", 75 | "target_field": "enip.command", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "length", 82 | "target_field": "enip.length", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "options", 89 | "target_field": "enip.options", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "session_handle", 96 | "target_field": "enip.session_handle", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "sender_context", 103 | "target_field": "enip.sender_context", 104 | "ignore_missing": true 105 | } 106 | }, 107 | { 108 | "rename": { 109 | "field": "status", 110 | "target_field": "enip.status", 111 | "ignore_missing": true 112 | } 113 | }, 114 | { 115 | "rename": { 116 | "field": "enip_status", 117 | "target_field": "enip.enip_status", 118 | "ignore_missing": true 119 | } 120 | } 121 | ] 122 | } 123 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-files_red-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'files_red' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-files-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-generic_dns_tunnels-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'generic_dns_tunnels' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "alert" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": [ "intrusion_detection", "network" ], 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": "info" 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "detection" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "set": { 60 | "field": "network.protocol", 61 | "value": "dns", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "dns_client", 68 | "target_field": "source.ip", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "set": { 74 | "field": "destination.domain", 75 | "value": "{{domain}}}", 76 | "ignore_failure": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "bytes", 82 | "target_field": "source.bytes", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "capture_secs", 89 | "target_field": "encrypted_dns_tunnels_capture_secs", 90 | "ignore_missing": true 91 | } 92 | } 93 | ] 94 | } 95 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-generic_icmp_tunnels-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'generic_icmp_tunnels' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "alert" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": [ "intrusion_detection", "network" ], 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": "info" 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "detection" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "set": { 60 | "field": "network.protocol", 61 | "value": "icmp", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "orig", 68 | "target_field": "source.ip", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "resp", 75 | "target_field": "destination.ip", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "id", 82 | "target_field": "icmp_id", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "seq", 89 | "target_field": "icmp_seq_number", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "bytes", 96 | "target_field": "network.bytes", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "payload_len", 103 | "target_field": "icmp_payload_len", 104 | "ignore_missing": true 105 | } 106 | }, 107 | { 108 | "rename": { 109 | "field": "icmp_payload", 110 | "target_field": "payload", 111 | "ignore_missing": true 112 | } 113 | }, 114 | { 115 | "rename": { 116 | "field": "intrusion_detection", 117 | "target_field": "icmp_detection", 118 | "ignore_missing": true 119 | } 120 | } 121 | ] 122 | } 123 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-genisys-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'genisys' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "crc_calculated", 61 | "target_field": "genisys.crc_calculated", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "crc_transmitted", 68 | "target_field": "genisys.crc_transmitted", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "direction", 75 | "target_field": "genisys.direction", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "header", 82 | "target_field": "genisys.header", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "payload", 89 | "target_field": "genisys.payload", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "server", 96 | "target_field": "genisys.server", 97 | "ignore_missing": true 98 | } 99 | } 100 | ] 101 | } 102 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-gquic-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'gquic' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "orig_fuids", 61 | "target_field": "log.id.orig_fuids", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "cyu", 68 | "target_field": "gquic.cyu", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "cyutags", 75 | "target_field": "gquic.cyutags", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "server_name", 82 | "target_field": "destination.domain", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "tag_count", 89 | "target_field": "gquic.tag_count", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "user_agent", 96 | "target_field": "user_agent.original", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "version", 103 | "target_field": "gquic.version", 104 | "ignore_missing": true 105 | } 106 | }, 107 | { 108 | "set": { 109 | "field": "network.transport", 110 | "value": "udp", 111 | "ignore_failure": true 112 | } 113 | }, 114 | { 115 | "user_agent": { 116 | "field": "user_agent.original", 117 | "target_field": "user_agent", 118 | "if": "ctx.user_agent?.original != null" 119 | } 120 | }, 121 | { 122 | "remove": { 123 | "field": "id", 124 | "ignore_failure": true, 125 | "ignore_missing": true 126 | } 127 | } 128 | 129 | ] 130 | } 131 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-http2-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'http2' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-http-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-http_red-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'http_red' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-http-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-iso_cotp-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'iso_cotp' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-cotp-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-known-modbus-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'known-modbus' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": "info" 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_observations" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "temp_host", 61 | "target_field": "host.ip", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "set": { 67 | "field": "network.transport", 68 | "value": "tcp", 69 | "ignore_failure": true 70 | 71 | } 72 | }, 73 | { 74 | "rename": { 75 | "field": "device_type", 76 | "target_field": "modbus.device_type", 77 | "ignore_missing": true 78 | } 79 | }, 80 | { 81 | "remove": { 82 | "field": "id", 83 | "ignore_failure": true, 84 | "ignore_missing": true 85 | } 86 | } 87 | ] 88 | } 89 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-known-remotes-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'known-remotes' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": "info" 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_observations" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "script": { 60 | "lang": "painless", 61 | "source": "ctx.event.duration = Math.round(ctx.duration * params.multiply_by); ctx.remove('duration')", 62 | "params": { 63 | "multiply_by": 1000000000 64 | }, 65 | "ignore_failure": false, 66 | "if": "ctx.duration != null" 67 | } 68 | }, 69 | { 70 | "rename": { 71 | "field": "host_ip", 72 | "target_field": "host.ip", 73 | "ignore_missing": true 74 | } 75 | }, 76 | { 77 | "rename": { 78 | "field": "kuid", 79 | "target_field": "log.id.kuid", 80 | "ignore_missing": true, 81 | "if": "ctx?.kuid != null" 82 | } 83 | }, 84 | { 85 | "rename": { 86 | "field": "num_conns", 87 | "target_field": "corelight.known.num_conns", 88 | "ignore_missing": true 89 | } 90 | }, 91 | { 92 | "set": { 93 | "field": "event.id", 94 | "value": "{{log.id.kuid}}}", 95 | "ignore_failure": true, 96 | "if": "(ctx.log?.id != null && ctx.log?.kuid != null)" 97 | } 98 | }, 99 | { 100 | "remove": { 101 | "field": "id", 102 | "ignore_failure": true, 103 | "ignore_missing": true, 104 | "if": "ctx.id != null" 105 | } 106 | } 107 | ] 108 | } 109 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-known_modbus-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'known_modbus' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": "info" 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_observations" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "temp_host", 61 | "target_field": "host.ip", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "set": { 67 | "field": "network.transport", 68 | "value": "tcp", 69 | "ignore_failure": true 70 | 71 | } 72 | }, 73 | { 74 | "rename": { 75 | "field": "device_type", 76 | "target_field": "modbus.device_type", 77 | "ignore_missing": true 78 | } 79 | }, 80 | { 81 | "remove": { 82 | "field": "id", 83 | "ignore_failure": true, 84 | "ignore_missing": true 85 | } 86 | } 87 | ] 88 | } 89 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-known_remotes-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'known_remotes' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": "info" 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_observations" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "script": { 60 | "lang": "painless", 61 | "source": "ctx.event.duration = Math.round(ctx.duration * params.multiply_by); ctx.remove('duration')", 62 | "params": { 63 | "multiply_by": 1000000000 64 | }, 65 | "ignore_failure": false, 66 | "if": "ctx.duration != null" 67 | } 68 | }, 69 | { 70 | "rename": { 71 | "field": "host_ip", 72 | "target_field": "host.ip", 73 | "ignore_missing": true 74 | } 75 | }, 76 | { 77 | "rename": { 78 | "field": "kuid", 79 | "target_field": "log.id.kuid", 80 | "ignore_missing": true, 81 | "if": "ctx?.kuid != null" 82 | } 83 | }, 84 | { 85 | "rename": { 86 | "field": "num_conns", 87 | "target_field": "corelight.known.num_conns", 88 | "ignore_missing": true 89 | } 90 | }, 91 | { 92 | "set": { 93 | "field": "event.id", 94 | "value": "{{log.id.kuid}}}", 95 | "ignore_failure": true, 96 | "if": "(ctx.log?.id != null && ctx.log?.kuid != null)" 97 | } 98 | }, 99 | { 100 | "remove": { 101 | "field": "id", 102 | "ignore_failure": true, 103 | "ignore_missing": true, 104 | "if": "ctx.id != null" 105 | } 106 | } 107 | ] 108 | } 109 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-ldap-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'ldap' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "message_id", 61 | "target_field": "ldap.message_id", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "version", 68 | "target_field": "ldap.version", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "opcode", 75 | "target_field": "ldap.opcode", 76 | "ignore_failure": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "proto", 82 | "target_field": "network.transport", 83 | "ignore_failure": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "object", 89 | "target_field": "ldap.object", 90 | "ignore_failure": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "argument", 96 | "target_field": "ldap.argument", 97 | "ignore_failure": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "message_id", 103 | "target_field": "ldap.message_id", 104 | "ignore_failure": true 105 | } 106 | } 107 | ] 108 | } 109 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-log4shell-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'log4shell' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-log4j-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-meterpreter-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for all 'meterpreter' logs. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "alert" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": [ "intrusion_detection", "network" ], 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": "info" 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "detection" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "date": { 60 | "field": "start_time", 61 | "target_field": "@timestamp", 62 | "formats": [ "ISO8601", "UNIX" ], 63 | "ignore_failure": true, 64 | "if": "(ctx['@timestamp'] == null )" 65 | } 66 | }, 67 | { 68 | "rename": { 69 | "field": "protocol", 70 | "target_field": "network.transport", 71 | "ignore_missing": true 72 | } 73 | }, 74 | { 75 | "rename": { 76 | "field": "reason", 77 | "target_field": "meterpreter_reason", 78 | "ignore_missing": true 79 | } 80 | }, 81 | { 82 | "rename": { 83 | "field": "os", 84 | "target_field": "os_family", 85 | "ignore_missing": true 86 | } 87 | }, 88 | { 89 | "rename": { 90 | "field": "guid", 91 | "target_field": "meterpreter_guid", 92 | "ignore_missing": true 93 | } 94 | }, 95 | { 96 | "rename": { 97 | "field": "staged", 98 | "target_field": "meterpreter_staged", 99 | "ignore_missing": true 100 | } 101 | }, 102 | { 103 | "rename": { 104 | "field": "encrypted", 105 | "target_field": "meterpreter_encrypted", 106 | "ignore_missing": true 107 | } 108 | } 109 | ] 110 | } 111 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-meterpreter_headers-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'meterpreter_headers' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-meterpreter-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-ml_results-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'ml_results' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "alert" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": [ "intrusion_detection", "network" ], 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": "info" 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "detection" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "set": { 60 | "field": "event.id", 61 | "value": "{{{id}}}", 62 | "ignore_failure": true, 63 | "if": "ctx.id != null" 64 | } 65 | }, 66 | { 67 | "rename": { 68 | "field": "id", 69 | "target_field": "log.id.id", 70 | "ignore_failure": true 71 | } 72 | }, 73 | { 74 | "rename": { 75 | "field": "domain", 76 | "target_field": "destination.domain", 77 | "ignore_failure": true 78 | } 79 | }, 80 | { 81 | "rename": { 82 | "field": "predicted_tag_name", 83 | "target_field": "ml_results.predicted_tag_name", 84 | "ignore_failure": true 85 | } 86 | }, 87 | { 88 | "rename": { 89 | "field": "predicted_probability", 90 | "target_field": "ml_results.predicted_probability", 91 | "ignore_failure": true 92 | } 93 | } 94 | ] 95 | } 96 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-modbus-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'modbus' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "proto", 61 | "target_field": "network.transport", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "function", 68 | "target_field": "modbus.function", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "exception", 75 | "target_field": "modbus.exception", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "track_address", 82 | "target_field": "modbus.track_address", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "delta", 89 | "target_field": "modbus.delta", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "new_val", 96 | "target_field": "modbus.new_value", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "old_val", 103 | "target_field": "modbus.old_value", 104 | "ignore_missing": true 105 | } 106 | }, 107 | { 108 | "rename": { 109 | "field": "register", 110 | "target_field": "modbus.register", 111 | "ignore_missing": true 112 | } 113 | }, 114 | { 115 | "remove": { 116 | "field": "id", 117 | "ignore_failure": true, 118 | "ignore_missing": true 119 | } 120 | } 121 | ] 122 | } 123 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-modbus_detailed-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'modbus_detailed' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "unit_id", 61 | "target_field": "modbus.unit_id", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "func", 68 | "target_field": "modbus.func", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "socket_port", 75 | "target_field": "modbus.socket_port", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "network_direction", 82 | "target_field": "modbus.network_direction", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "vendor_name", 89 | "target_field": "modbus.vendor_name", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "address", 96 | "target_field": "modbus.address", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "quantity", 103 | "target_field": "modbus.quantity", 104 | "ignore_missing": true 105 | } 106 | }, 107 | { 108 | "rename": { 109 | "field": "product_code", 110 | "target_field": "modbus.product_code", 111 | "ignore_missing": true 112 | } 113 | }, 114 | { 115 | "rename": { 116 | "field": "values", 117 | "target_field": "modbus.values", 118 | "ignore_missing": true 119 | } 120 | } 121 | ] 122 | } 123 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-modbus_mask_write_register-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'modbus_mask_write_register' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "unit_id", 61 | "target_field": "modbus.unit_id", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "func", 68 | "target_field": "modbus.func", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "socket_port", 75 | "target_field": "modbus.socket_port", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "network_direction", 82 | "target_field": "modbus.network_direction", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "vendor_name", 89 | "target_field": "modbus.vendor_name", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "address", 96 | "target_field": "modbus.address", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "and_mask", 103 | "target_field": "modbus.and_mask", 104 | "ignore_missing": true 105 | } 106 | }, 107 | { 108 | "rename": { 109 | "field": "or_mask", 110 | "target_field": "modbus.or_mask", 111 | "ignore_missing": true 112 | } 113 | } 114 | ] 115 | } 116 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-modbus_read_write_multiple_registers-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'modbus_read_write_multiple_registers' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "unit_id", 61 | "target_field": "modbus.unit_id", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "func", 68 | "target_field": "modbus.func", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "network_direction", 75 | "target_field": "modbus.network_direction", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "write_start_address", 82 | "target_field": "modbus.write_start_address", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "write_registers", 89 | "target_field": "modbus.write_registers", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "read_start_address", 96 | "target_field": "modbus.read_start_address", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "read_quantity", 103 | "target_field": "modbus.read_quantity", 104 | "ignore_missing": true 105 | } 106 | }, 107 | { 108 | "rename": { 109 | "field": "read_registers", 110 | "target_field": "modbus.read_registers", 111 | "ignore_missing": true 112 | } 113 | } 114 | ] 115 | } 116 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-modbus_register_change-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'modbus_register_change' log'. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "delta", 61 | "target_field": "modbus.delta", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "new_val", 68 | "target_field": "modbus.new_value", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "old_val", 75 | "target_field": "modbus.old_value", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "register", 82 | "target_field": "modbus.register", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "remove": { 88 | "field": "id", 89 | "ignore_failure": true, 90 | "ignore_missing": true 91 | } 92 | } 93 | ] 94 | } 95 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-mqtt_connect-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'mqtt_connect' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-mqtt-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-mqtt_publish-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'mqtt_publish' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-mqtt-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-mqtt_subscribe-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'mqtt_subscribe' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-mqtt-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-mysql-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'mysql' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "proto", 61 | "target_field": "network.transport", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "arg", 68 | "target_field": "mysql.args", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "cmd", 75 | "target_field": "mysql.command", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "response", 82 | "target_field": "mysql.response", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "rows", 89 | "target_field": "mysql.rows", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "set": { 95 | "field": "event.outcome", 96 | "value": "success", 97 | "ignore_failure": true, 98 | "if": "(ctx.success == true)" 99 | } 100 | }, 101 | { 102 | "set": { 103 | "field": "event.outcome", 104 | "value": "failure", 105 | "ignore_failure": true, 106 | "if": "(ctx.success == false)" 107 | } 108 | }, 109 | { 110 | "rename": { 111 | "field": "success", 112 | "target_field": "mysql.successful", 113 | "ignore_missing": true 114 | } 115 | }, 116 | { 117 | "remove": { 118 | "field": "id", 119 | "ignore_failure": true, 120 | "ignore_missing": true 121 | } 122 | } 123 | ] 124 | } 125 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-notice_alarm-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'notice_alarm' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-notice-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-pcr-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'pcr' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": "info" 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "diagnostics" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "pcr", 61 | "target_field": "pcr_pcr", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "src", 68 | "target_field": "pcr_src", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "set": { 74 | "field": "host.ip", 75 | "value": "{{{pcr_src}}}", 76 | "ignore_failure": true, 77 | "if": "ctx.pcr_src != null && ctx.host?.ip == null" 78 | } 79 | } 80 | ] 81 | } 82 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-profinet-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'profinet' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "block_version", 61 | "target_field": "profinet.block_version", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "operation_type", 68 | "target_field": "profinet.operation_type", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "slot_number", 75 | "target_field": "profinet.slot_number", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "subslot_number", 82 | "target_field": "profinet.subslot_number", 83 | "ignore_missing": true 84 | } 85 | } 86 | ] 87 | } 88 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-profinet_debug-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'profinet_debug' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "raw_data", 61 | "target_field": "profinet.raw_data", 62 | "ignore_missing": true 63 | } 64 | } 65 | ] 66 | } 67 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-profinet_dec_rpc-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'profinet_dce_rpc' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "version", 61 | "target_field": "profinet.version", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "packet_type", 68 | "target_field": "profinet.packet_type", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "object_uuid", 75 | "target_field": "profinet.object_uuid", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "interface_uuid", 82 | "target_field": "profinet.interface_uuid", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "interface_uuid", 89 | "target_field": "profinet.interface_uuid", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "server_boot_time", 96 | "target_field": "profinet.server_boot_time", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "operation", 103 | "target_field": "profinet.operation", 104 | "ignore_missing": true 105 | } 106 | } 107 | ] 108 | } 109 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-quic-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'quic' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "orig_fuids", 61 | "target_field": "log.id.orig_fuids", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "cyu", 68 | "target_field": "gquic.cyu", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "cyutags", 75 | "target_field": "gquic.cyutags", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "server_name", 82 | "target_field": "destination.domain", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "tag_count", 89 | "target_field": "gquic.tag_count", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "user_agent", 96 | "target_field": "user_agent.original", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "version", 103 | "target_field": "gquic.version", 104 | "ignore_missing": true 105 | } 106 | }, 107 | { 108 | "set": { 109 | "field": "network.transport", 110 | "value": "udp", 111 | "ignore_failure": true 112 | } 113 | }, 114 | { 115 | "user_agent": { 116 | "field": "user_agent.original", 117 | "target_field": "user_agent", 118 | "if": "ctx.user_agent?.original != null" 119 | } 120 | }, 121 | { 122 | "remove": { 123 | "field": "id", 124 | "ignore_failure": true, 125 | "ignore_missing": true 126 | } 127 | } 128 | 129 | ] 130 | } 131 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-s7comm_plus-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 's7comm_plus' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "is_orig", 61 | "target_field": "s7comm.is_orig", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "version", 68 | "target_field": "s7comm.version", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "opcode", 75 | "target_field": "s7comm.opcode", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "opcode_name", 82 | "target_field": "s7comm.opcode_name", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "function_code", 89 | "target_field": "s7comm.function_code", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "function_name", 96 | "target_field": "s7comm.function_name", 97 | "ignore_missing": true 98 | } 99 | } 100 | ] 101 | } 102 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-s7comm_read_szl-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 's7comm_read_szl' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "pdu_reference", 61 | "target_field": "s7comm.pdu_reference", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "method", 68 | "target_field": "s7comm.method", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "szl_id", 75 | "target_field": "s7comm.szl_id", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "szl_id_name", 82 | "target_field": "s7comm.szl_id_name", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "szl_index", 89 | "target_field": "s7comm.szl_index", 90 | "ignore_missing": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "return_code", 96 | "target_field": "s7comm.return_code", 97 | "ignore_missing": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "subfunction_code", 103 | "target_field": "s7comm.subfunction_code", 104 | "ignore_missing": true 105 | } 106 | }, 107 | { 108 | "rename": { 109 | "field": "return_code_name", 110 | "target_field": "s7comm.return_code_name", 111 | "ignore_missing": true 112 | } 113 | } 114 | ] 115 | } 116 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-smb_mapping-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'smb_mapping' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_SMB", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "uid", 61 | "target_field": "log.id.uid", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "set": { 67 | "field": "network.transport", 68 | "value": "tcp", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "native_file_system", 75 | "target_field": "smb.native_file_system", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "set": { 81 | "field": "file.path", 82 | "value": "{{{path}}}", 83 | "ignore_failure": true, 84 | "if": "ctx.path != null" 85 | } 86 | }, 87 | { 88 | "rename": { 89 | "field": "path", 90 | "target_field": "smb.path", 91 | "ignore_missing": true 92 | } 93 | }, 94 | { 95 | "rename": { 96 | "field": "share_type", 97 | "target_field": "smb.share_type", 98 | "ignore_missing": true 99 | } 100 | }, 101 | { 102 | "rename": { 103 | "field": "service", 104 | "target_field": "smb.service", 105 | "ignore_missing": true 106 | } 107 | }, 108 | { 109 | "remove": { 110 | "field": "id", 111 | "ignore_failure": true, 112 | "ignore_missing": true 113 | } 114 | } 115 | ] 116 | } 117 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-smtp_links-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'smtp_links' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "temp_host", 61 | "target_field": "url.domain", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "url", 68 | "target_field": "url.original", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "set": { 74 | "field": "destination.domain", 75 | "value": "{{url.domain}}}", 76 | "ignore_failure": true 77 | } 78 | }, 79 | { 80 | "remove": { 81 | "field": "id", 82 | "ignore_failure": true, 83 | "ignore_missing": true 84 | } 85 | } 86 | ] 87 | } 88 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-software_red-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'software_red' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-software-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-ssl_red-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'ssl_red' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-ssl-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-stun-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'stun' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "attr_types", 61 | "target_field": "vpn.attr_types", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "attr_vals", 68 | "target_field": "vpn.attr_vals", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "class", 75 | "target_field": "vpn.class", 76 | "ignore_failure": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "is_orig", 82 | "target_field": "vpn.is_originating", 83 | "ignore_failure": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "method", 89 | "target_field": "vpn.method", 90 | "ignore_failure": true 91 | } 92 | }, 93 | { 94 | "rename": { 95 | "field": "proto", 96 | "target_field": "network.transport", 97 | "ignore_failure": true 98 | } 99 | }, 100 | { 101 | "rename": { 102 | "field": "trans_id", 103 | "target_field": "vpn.trans_id", 104 | "ignore_failure": true 105 | } 106 | } 107 | ] 108 | } 109 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-stun_nat-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'stun_nat' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "is_orig", 61 | "target_field": "vpn.is_originating", 62 | "ignore_failure": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "lan_addrs", 68 | "target_field": "vpn.lan_addrs", 69 | "ignore_failure": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "proto", 75 | "target_field": "network.transport", 76 | "ignore_failure": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "wan_addrs", 82 | "target_field": "vpn.wan_addrs", 83 | "ignore_failure": true 84 | } 85 | }, 86 | { 87 | "rename": { 88 | "field": "wan_ports", 89 | "target_field": "vpn.wan_ports", 90 | "ignore_failure": true 91 | } 92 | } 93 | ] 94 | } 95 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-syslog-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'syslog' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_SYSLOG", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "proto", 61 | "target_field": "network.transport", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "facility", 68 | "target_field": "log.syslog.facility.name", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "severity", 75 | "target_field": "log.syslog.severity.name", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "message", 82 | "target_field": "log.syslog.message", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "remove": { 88 | "field": "id", 89 | "ignore_failure": true, 90 | "ignore_missing": true 91 | } 92 | } 93 | ] 94 | } 95 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-tds-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'tds' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "command", 61 | "target_field": "tds.command", 62 | "ignore_missing": true 63 | } 64 | } 65 | ] 66 | } 67 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-tds_rpc-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'tds_rdp' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "procedure_name", 61 | "target_field": "tds.procedure_name", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "parameters", 68 | "target_field": "tds.parameters", 69 | "ignore_missing": true 70 | } 71 | } 72 | ] 73 | } 74 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-tds_sql_batch-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'tds_sql_batch' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "header_type", 61 | "target_field": "tds.header_type", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "query", 68 | "target_field": "tds.query", 69 | "ignore_missing": true 70 | } 71 | } 72 | ] 73 | } 74 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-traceroute-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'traceroute' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "proto", 61 | "target_field": "network.transport", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "remove": { 67 | "field": "id", 68 | "ignore_failure": true, 69 | "ignore_missing": true 70 | } 71 | } 72 | ] 73 | } 74 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-tunnel-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'tunnel' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "action", 61 | "target_field": "tunnel.action", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "tunnel_type", 68 | "target_field": "tunnel.tunnel_type", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "remove": { 74 | "field": "id", 75 | "ignore_failure": true, 76 | "ignore_missing": true 77 | } 78 | } 79 | ] 80 | } 81 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-unknown_mime_type_discovery-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'unknown_mime_type_discovery' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": "info" 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "miscellaneous" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "bof", 61 | "target_field": "corelight.unknown_mime_type_discovery.bof", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "set": { 67 | "field": "event.id", 68 | "value": "{{log.id.fid}}}", 69 | "ignore_failure": true, 70 | "if": "(ctx.log?.id != null && ctx.log?.fid != null)" 71 | } 72 | }, 73 | { 74 | "remove": { 75 | "field": "id", 76 | "ignore_failure": true, 77 | "ignore_missing": true, 78 | "if": "ctx.id != null" 79 | } 80 | } 81 | ] 82 | } 83 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-websockets-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'websocket' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2025042201, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": [ "connection", "info", "protocol" ] 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "network_protocols" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_VARIOUS", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "set": { 60 | "field": "destination.domain", 61 | "value": "{{{temp_host}}}", 62 | "ignore_failure": true, 63 | "if": "ctx.temp_host != null" 64 | } 65 | }, 66 | { 67 | "rename": { 68 | "field": "temp_host", 69 | "target_field": "url.domain", 70 | "ignore_missing": true 71 | } 72 | }, 73 | { 74 | "rename": { 75 | "field": "uri", 76 | "target_field": "url.original", 77 | "ignore_missing": true 78 | } 79 | }, 80 | { 81 | "rename": { 82 | "field": "subprotocol", 83 | "target_field": "websockets.subprotocol", 84 | "ignore_missing": true 85 | } 86 | }, 87 | { 88 | "rename": { 89 | "field": "client_protocols", 90 | "target_field": "websockets.client_protocols", 91 | "ignore_missing": true 92 | } 93 | }, 94 | { 95 | "rename": { 96 | "field": "server_extensions", 97 | "target_field": "websockets.server_extensions", 98 | "ignore_missing": true 99 | } 100 | }, 101 | { 102 | "rename": { 103 | "field": "client_extensions", 104 | "target_field": "websockets.client_extensions", 105 | "ignore_missing": true 106 | } 107 | }, 108 | { 109 | "rename": { 110 | "field": "client_key", 111 | "target_field": "websockets.client_key", 112 | "ignore_missing": true 113 | } 114 | }, 115 | { 116 | "rename": { 117 | "field": "server_accept", 118 | "target_field": "websockets.server_accept", 119 | "ignore_missing": true 120 | } 121 | } 122 | ] 123 | } 124 | 125 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-weird-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'weird' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "set": { 7 | "field": "event.kind", 8 | "value": "event" 9 | } 10 | }, 11 | { 12 | "set": { 13 | "field": "event.category", 14 | "value": "network", 15 | "override": true 16 | } 17 | }, 18 | { 19 | "set": { 20 | "field": "event.type", 21 | "value": "info" 22 | } 23 | }, 24 | { 25 | "set": { 26 | "field": "labels.corelight.event_category", 27 | "value": "miscellaneous" 28 | } 29 | }, 30 | { 31 | "set": { 32 | "field": "temporary_metadata_index_name_type", 33 | "value": "VAR_CL_DS_TYPE_PROTOCOL_LOG", 34 | "ignore_failure": false 35 | } 36 | }, 37 | { 38 | "set": { 39 | "field": "temporary_metadata_index_name_dataset_prefix", 40 | "value": "VAR_CL_DS_PREFIX_PROTOCOL_LOG", 41 | "ignore_failure": false 42 | } 43 | }, 44 | { 45 | "set": { 46 | "field": "temporary_metadata_index_name_dataset_suffix", 47 | "value": "VAR_CL_DS_SUFFIX_PROTOCOL_LOG_WEIRD", 48 | "ignore_failure": false 49 | } 50 | }, 51 | { 52 | "set": { 53 | "field": "temporary_metadata_index_name_namespace", 54 | "value": "VAR_CL_DS_NAMESPACE_PROTOCOL_LOG", 55 | "ignore_failure": false 56 | } 57 | }, 58 | { 59 | "rename": { 60 | "field": "addl", 61 | "target_field": "weird.additional_info", 62 | "ignore_missing": true 63 | } 64 | }, 65 | { 66 | "rename": { 67 | "field": "name", 68 | "target_field": "weird.name", 69 | "ignore_missing": true 70 | } 71 | }, 72 | { 73 | "rename": { 74 | "field": "notice", 75 | "target_field": "weird.notice", 76 | "ignore_missing": true 77 | } 78 | }, 79 | { 80 | "rename": { 81 | "field": "peer", 82 | "target_field": "weird.peer", 83 | "ignore_missing": true 84 | } 85 | }, 86 | { 87 | "remove": { 88 | "field": "id", 89 | "ignore_failure": true, 90 | "ignore_missing": true 91 | } 92 | } 93 | ] 94 | } 95 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-weird_red-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'weird_red' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-weird-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-wireguard-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'wireguard' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-vpn-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /pipeline/log_specific/protocol_logs/corelight-ecs-x509_red-pipeline: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Corelight ingest pipeline for 'x509_red' log. This ingest pipeline is from the Github repository https://github.com/corelight/ecs-mapping. Please file all questions or issues with this configuration in the corresponding Github repository.", 3 | "version": 2023120101, 4 | "processors": [ 5 | { 6 | "pipeline": { 7 | "name": "corelight-ecs-x509-pipeline" 8 | } 9 | } 10 | ] 11 | } 12 | --------------------------------------------------------------------------------