Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Ingest Pipeline for Creating a process_signature field from Auditd in CEF
{
"description": "Pipeline for creating process_signature field",
"processors": [
{
"script": {
"lang": "painless",
"inline": "if (ctx.auditd?.log?.a0 != null) { ctx.process_signature = ctx.auditd.log.a0+'|'+ctx.auditd.log.a1+'|'+ctx.beat.name; }"
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.