Skip to content

Commit

Permalink
more field normalization for cisagov#525, adding normalization for evtx
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmguero
mmguero committed Dec 12, 2024
1 parent d872f15 commit 6dc30e7
Showing 1 changed file with 10 additions and 1 deletion.
11 changes: 10 additions & 1 deletion logstash/pipelines/beats/11_beats_logs.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1013,10 +1013,19 @@ filter {
mutate { id => "mutate_beats_evtx_error_description_to_result"
merge => { "[event][result]" => "[evtx][Event][EventData][Error_Description]" } }
}
} else if ([evtx][Event][EventData][Error_Code]) {
}
if ([evtx][Event][EventData][Result]) {
mutate { id => "mutate_beats_evtx_result_to_result"
merge => { "[event][result]" => "[evtx][Event][EventData][Result]" } }
}
if ([evtx][Event][EventData][Error_Code]) {
mutate { id => "mutate_beats_evtx_error_code_to_result"
merge => { "[event][result]" => "[evtx][Event][EventData][Error_Code]" } }
}
if ([evtx][Event][EventData][error_Code]) {
mutate { id => "mutate_beats_evtx_error_code_lc_to_result"
merge => { "[event][result]" => "[evtx][Event][EventData][error_Code]" } }
}

# store the original computer name as host.name as it's probably what people will want to search by
if ([miscbeat][winlog][Computer]) {
Expand Down

0 comments on commit 6dc30e7

Please sign in to comment.