securityonion-elastic: bro_files file_ip should be copied to source_ip

Security-Onion-Solutions / security-onion

Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management

https://securityonion.net

3.06k stars 519 forks source link

securityonion-elastic: bro_files file_ip should be copied to source_ip #1742

Closed weslambert closed 4 years ago

weslambert commented 4 years ago

We should copy file_ip to source_ip so that we can build more congruent searches/tables, but retain the existing file_ip visualizations and dashboard config.

weslambert commented 4 years ago

Logstash:

mutate {
         copy => { "file_ip" => "source_ip" }
}

Ingest:

{
      "set": {
        "field": "source_ip",
        "value": "{{file_ip}}"
      }
}

dougburks commented 4 years ago

Don't forget about elasticsearch ingest node parsing!

weslambert commented 4 years ago

D'oh! Truth. - Added.

dougburks commented 4 years ago

The ingest parser above resulted in errors. I had to change to:


{
      "set": {
        "field": "source_ip",
        "value": "{{file_ip.0}}"
      }
}

dougburks commented 4 years ago

Published: https://blog.securityonion.net/2020/04/elastic-688-now-available-for-security.html