Closed Nibor62 closed 7 years ago
can be used as follow:
datamap: [fieldName]: [sourceValue] : [mappedValue]
"_default" sourceValue will be interpreted as the default mapping if no one is found If there is no "_defaut" sourceValue, the default value is the source's one
parser: regex defaults: provider: reputation.alienvault.com datamap: tags: 'Scanning Host': scanner 'Malicious Host': suspicious 'Spamming': suspicious 'C&C': botnet 'Malware Domain': malware 'Malware distribution': malware 'Malware IP': malware
feeds: reputation: remote: https://reputation.alienvault.com/reputation.data pattern: '[+-]?(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})#\d\d?#\d\d?#(.)#.#.#.#.*$' values:
can be used as follow:
datamap: [fieldName]: [sourceValue] : [mappedValue]
"_default" sourceValue will be interpreted as the default mapping if no one is found If there is no "_defaut" sourceValue, the default value is the source's one
parser: regex defaults: provider: reputation.alienvault.com datamap: tags: 'Scanning Host': scanner 'Malicious Host': suspicious 'Spamming': suspicious 'C&C': botnet 'Malware Domain': malware 'Malware distribution': malware 'Malware IP': malware
feeds: reputation: remote: https://reputation.alienvault.com/reputation.data pattern: '[+-]?(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})#\d\d?#\d\d?#(.)#.#.#.#.*$' values: