Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Update By Query Request to add process_signature field
POST cef-*/_update_by_query
{
"query": {
"term": {
"auditd.log.record_type": {
"value": "EXECVE"
}
}
},
"script": {
"lang": "painless",
"inline": "if (ctx._source.auditd?.log?.a0 != null) { ctx._source.process_signature = ctx._source.auditd.log.a0+'|'+ctx._source.auditd.log.a1+'|'+ctx._source.beat.name; }"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.