forked from cisagov/Malcolm
-
Notifications
You must be signed in to change notification settings - Fork 62
/
Copy path1029_zeek_intel.conf
73 lines (64 loc) · 3.77 KB
/
1029_zeek_intel.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
########################
# Copyright (c) 2025 Battelle Energy Alliance, LLC. All rights reserved.
#######################
filter {
if ([log_source] == "intel") {
#############################################################################################################################
# intel.log
# https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info
if ("_jsonparsesuccess" in [tags]) {
mutate {
id => "mutate_rename_zeek_json_intel_fields"
rename => { "[zeek_cols][cif.confidence]" => "[zeek_cols][cif_confidence]" }
rename => { "[zeek_cols][cif.description]" => "[zeek_cols][cif_description]" }
rename => { "[zeek_cols][cif.firstseen]" => "[zeek_cols][cif_firstseen]" }
rename => { "[zeek_cols][cif.lastseen]" => "[zeek_cols][cif_lastseen]" }
rename => { "[zeek_cols][cif.source]" => "[zeek_cols][cif_source]" }
rename => { "[zeek_cols][cif.tags]" => "[zeek_cols][cif_tags]" }
rename => { "[zeek_cols][seen.indicator]" => "[zeek_cols][seen_indicator]" }
rename => { "[zeek_cols][seen.indicator_type]" => "[zeek_cols][seen_indicator_type]" }
rename => { "[zeek_cols][seen.node]" => "[zeek_cols][seen_node]" }
rename => { "[zeek_cols][seen.where]" => "[zeek_cols][seen_where]" }
}
} else {
dissect {
id => "dissect_zeek_intel"
mapping => {
"[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][seen_indicator]} %{[zeek_cols][seen_indicator_type]} %{[zeek_cols][seen_where]} %{[zeek_cols][seen_node]} %{[zeek_cols][matched]} %{[zeek_cols][sources]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][cif_tags]} %{[zeek_cols][cif_confidence]} %{[zeek_cols][cif_source]} %{[zeek_cols][cif_description]} %{[zeek_cols][cif_firstseen]} %{[zeek_cols][cif_lastseen]}"
}
}
if ("_dissectfailure" in [tags]) {
mutate {
id => "mutate_split_zeek_intel"
split => { "[message]" => " " }
}
ruby {
id => "ruby_zip_zeek_intel"
init => "@zeek_intel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'seen_indicator', 'seen_indicator_type', 'seen_where', 'seen_node', 'matched', 'sources', 'fuid', 'file_mime_type', 'file_desc', 'cif_tags', 'cif_confidence', 'cif_source', 'cif_description', 'cif_firstseen', 'cif_lastseen' ]"
code => "event.set('[zeek_cols]', @zeek_intel_field_names.zip(event.get('[message]')).to_h)"
}
}
}
mutate { id => "mutate_split_zeek_intel_commas"
split => { "[zeek_cols][matched]" => ","
"[zeek_cols][cif_tags]" => "," } }
# "sources" is handled differently because of some weirdness between creating the meta.source field in the
# intel file (which seems to be a string) and the sources field in intel.log (which is a set of string)
# so we're doing our own | pseudo-delimiter to work around it. Further complicating things, in JSON
# "sources" is already an array, and in TSV it's a string.
ruby {
id => "ruby_intel_sources_split"
code => "
if (sources = event.get('[zeek_cols][sources]')) then
if sources.is_a?(Array)
# sources is an array already (like from JSON), expand out the elements that may be pipe-separated
sources.map! { |source| source.to_s.split('|') }.flatten!
else
# sources is not an array, split on pipe
sources = sources.to_s.split('|')
end
event.set('[zeek_cols][sources]', sources) unless sources.nil? or (sources.length == 0)
end"
}
}
} # end Filter