File: //usr/share/filebeat/module/cef/log/ingest/pipeline.yml
---
description: Pipeline for Filebeat CEF
processors:
- set:
field: event.ingested
value: '{{_ingest.timestamp}}'
# IP Geolocation Lookup
- geoip:
field: source.ip
target_field: source.geo
ignore_missing: true
- geoip:
field: destination.ip
target_field: destination.geo
ignore_missing: true
# IP Autonomous System (AS) Lookup
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
- geoip:
database_file: GeoLite2-ASN.mmdb
field: destination.ip
target_field: destination.as
properties:
- asn
- organization_name
ignore_missing: true
- rename:
field: source.as.asn
target_field: source.as.number
ignore_missing: true
- rename:
field: source.as.organization_name
target_field: source.as.organization.name
ignore_missing: true
- rename:
field: destination.as.asn
target_field: destination.as.number
ignore_missing: true
- rename:
field: destination.as.organization_name
target_field: destination.as.organization.name
ignore_missing: true
- append:
field: related.hash
value: "{{cef.extensions.fileHash}}"
allow_duplicates: false
if: "ctx?.cef?.extensions?.fileHash != null && ctx?.cef?.extensions?.fileHash != ''"
- append:
field: related.hash
value: "{{cef.extensions.oldFileHash}}"
allow_duplicates: false
if: "ctx?.cef?.extensions?.oldFileHash != null && ctx?.cef?.extensions?.oldFileHash != ''"
- append:
field: related.ip
value: "{{destination.ip}}"
allow_duplicates: false
if: "ctx?.destination?.ip != null && ctx?.destination?.ip != ''"
- append:
field: related.ip
value: "{{destination.nat.ip}}"
allow_duplicates: false
if: "ctx?.destination?.nat?.ip != null && ctx?.destination?.nat?.ip != ''"
- append:
field: related.ip
value: "{{source.ip}}"
allow_duplicates: false
if: "ctx?.source?.ip != null && ctx?.source?.ip != ''"
- append:
field: related.ip
value: "{{source.nat.ip}}"
allow_duplicates: false
if: "ctx?.source?.nat?.ip != null && ctx?.source?.nat?.ip != ''"
- append:
field: related.user
value: "{{destination.user.name}}"
allow_duplicates: false
if: "ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != ''"
- append:
field: related.user
value: "{{source.user.name}}"
allow_duplicates: false
if: "ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''"
- append:
field: related.hosts
value: "{{observer.hostname}}"
allow_duplicates: false
if: "ctx?.observer?.hostname != null && ctx?.observer?.hostname != ''"
- pipeline:
name: '{< IngestPipeline "fp-pipeline" >}'
if: "ctx.cef?.device?.vendor == 'FORCEPOINT'"
- pipeline:
name: '{< IngestPipeline "cp-pipeline" >}'
if: "ctx.cef?.device?.vendor == 'Check Point'"
- remove:
field:
- _temp_
ignore_missing: true
on_failure:
- set:
field: error.message
value: "{{ _ingest.on_failure_message }}"