Merge pull request #13079 from Security-Onion-Solutions/2.4/sigmapipe…

…lineupdates Add IDH mappings
Security-Onion-Solutions · May 24, 2024 · 185fb38 · 185fb38
2 parents 29a87fd + 550b3ee
commit 185fb38
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -17,6 +17,16 @@ transformations:
         dst_ip: destination.ip.keyword
         dst_port: destination.port
         winlog.event_data.User: user.name
+        logtype: event.code # OpenCanary
+    # Maps "opencanary" product to SO IDH logs
+    - id: opencanary_idh_add-fields
+      type: add_condition
+      conditions:
+        event.module: 'opencanary'
+        event.dataset: 'opencanary.idh'
+      rule_conditions:
+      - type: logsource
+        product: opencanary
     # Maps "antivirus" category to Windows Defender logs shipped by Elastic Agent Winlog Integration
     # winlog.event_data.threat_name has to be renamed prior to ingestion, it is originally winlog.event_data.Threat Name
     - id: antivirus_field-mappings_windows-defender
@@ -88,3 +98,11 @@ transformations:
       - type: logsource
         product: linux
         service: auth
+    # event.code should always be a string
+    - id: convert_event_code_to_string
+      type: convert_type
+      target_type: 'str'
+      field_name_conditions:
+        - type: include_fields
+          fields:
+          - event.code