Skip to content

Instantly share code, notes, and snippets.

@gingerwizard

gingerwizard/process_signature.json

Last active June 6, 2017 09:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gingerwizard/dbde5c9d20ec06af145be3dabadb3383 to your computer and use it in GitHub Desktop.
Save gingerwizard/dbde5c9d20ec06af145be3dabadb3383 to your computer and use it in GitHub Desktop.
Download ZIP
Ingest Pipeline for Creating a process_signature field from Auditd in CEF
Raw
process_signature.json
{
"description": "Pipeline for creating process_signature field",
"processors": [
{
"script": {
"lang": "painless",
"inline": "if (ctx.auditd?.log?.a0 != null) { ctx.process_signature = ctx.auditd.log.a0+'|'+ctx.auditd.log.a1+'|'+ctx.beat.name; }"
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment