securityonion-elastic: elasticsearch ingest pipelines need to support "ips" fields

Security-Onion-Solutions / security-onion

Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management

https://securityonion.net

3.06k stars 521 forks source link

securityonion-elastic: elasticsearch ingest pipelines need to support "ips" fields #1666

Closed dougburks closed 4 years ago

dougburks commented 4 years ago

Add the following fields: ips source_ips destination_ips

dougburks commented 4 years ago

Here's the current logic in the traditional Logstash config:

    if [source_ip] {
      mutate {
        add_field => { "ips" => "%{source_ip}" }
        add_field => { "source_ips" => [ "%{source_ip}" ] }
      }
    }

  if [destination_ip] {
    mutate {
      add_field => { "ips" => "%{destination_ip}" }
      add_field => { "destination_ips" => [ "%{destination_ip}" ] }
    }
  }

defensivedepth commented 4 years ago

Looks good!

dougburks commented 4 years ago

Published: https://blog.securityonion.net/2020/02/zeek-301-elastic-686-and-cyberchef-9120.html