Skip to content

Instantly share code, notes, and snippets.

@gingerwizard

gingerwizard/update_process_signature.json

Last active June 6, 2017 10:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gingerwizard/b1690510ac92b1b2ef2cc105417abacc to your computer and use it in GitHub Desktop.
Save gingerwizard/b1690510ac92b1b2ef2cc105417abacc to your computer and use it in GitHub Desktop.
Download ZIP
Update By Query Request to add process_signature field
Raw
update_process_signature.json
POST cef-*/_update_by_query
{
"query": {
"term": {
"auditd.log.record_type": {
"value": "EXECVE"
}
}
},
"script": {
"lang": "painless",
"inline": "if (ctx._source.auditd?.log?.a0 != null) { ctx._source.process_signature = ctx._source.auditd.log.a0+'|'+ctx._source.auditd.log.a1+'|'+ctx._source.beat.name; }"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment