Add checks to avoid empty strings

marc-gr · marc-gr · commit c39bda110edc · 2020-09-23T15:24:52.000+02:00
diff --git a/filebeat/module/osquery/result/ingest/pipeline.json b/filebeat/module/osquery/result/ingest/pipeline.json
@@ -211,7 +211,7 @@
         "append": {
             "field": "related.hosts",
             "value": "{{host.hostname}}",
-            "if": "ctx?.host?.hostname != null",
+            "if": "ctx?.host?.hostname != null && ctx.host?.hostname != ''",
             "allow_duplicates": false
         }
     }
diff --git a/filebeat/module/system/auth/ingest/pipeline.yml b/filebeat/module/system/auth/ingest/pipeline.yml
@@ -145,7 +145,7 @@ processors:
 - append:
     field: related.hosts
     value: "{{host.hostname}}"
-    if: "ctx.host?.hostname != null"
+    if: "ctx.host?.hostname != null && ctx.host?.hostname != ''"
     allow_duplicates: false
 on_failure:
 - set:
diff --git a/filebeat/module/system/syslog/ingest/pipeline.yml b/filebeat/module/system/syslog/ingest/pipeline.yml
@@ -57,7 +57,7 @@ processors:
 - append:
     field: related.hosts
     value: "{{host.hostname}}"
-    if: "ctx.host?.hostname != null"
+    if: "ctx.host?.hostname != null && ctx.host?.hostname != ''"
     allow_duplicates: false
 on_failure:
 - set:
diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml b/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml
@@ -56,12 +56,12 @@ processors:
   - append:
         field: related.hosts
         value: '{{url.domain}}'
-        if: ctx?.url?.domain != null
+        if: ctx?.url?.domain != null && ctx?.url?.domain != ""
         allow_duplicates: false
   - append:
         field: related.hosts
         value: '{{server.domain}}'
-        if: ctx?.server?.domain != null
+        if: ctx?.server?.domain != null && ctx?.url?.domain != ""
         allow_duplicates: false
 on_failure:
   - append:
diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json
@@ -346,9 +346,6 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
-        "related.hosts": [
-            ""
-        ],
         "related.ip": [
             "10.206.159.177"
         ],
@@ -1148,9 +1145,6 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
-        "related.hosts": [
-            ""
-        ],
         "related.ip": [
             "10.153.108.27"
         ],
@@ -1626,9 +1620,6 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
-        "related.hosts": [
-            ""
-        ],
         "related.ip": [
             "10.153.152.219"
         ],
@@ -1833,9 +1824,6 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
-        "related.hosts": [
-            ""
-        ],
         "related.ip": [
             "10.103.69.44"
         ],
@@ -1919,9 +1907,6 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
-        "related.hosts": [
-            ""
-        ],
         "related.ip": [
             "10.145.193.93"
         ],
@@ -2034,9 +2019,6 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
-        "related.hosts": [
-            ""
-        ],
         "related.ip": [
             "10.141.225.182"
         ],
@@ -2718,9 +2700,6 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
-        "related.hosts": [
-            ""
-        ],
         "related.ip": [
             "10.157.196.101"
         ],
@@ -3176,8 +3155,8 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
         "related.ip": [
-            "10.178.30.158",
-            "10.1.6.115"
+            "10.1.6.115",
+            "10.178.30.158"
         ],
         "rsa.internal.messageid": "outbound/smtp",
         "rsa.investigations.event_cat": 1901000000,
diff --git a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml
@@ -57,7 +57,7 @@ processors:
         field: related.hosts
         value: '{{host.name}}'
         allow_duplicates: false
-        if: ctx?.host?.name != null
+        if: ctx?.host?.name != null && ctx.host?.name != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml
@@ -61,7 +61,7 @@ processors:
   - append:
         field: related.hosts
         value: '{{host.hostname}}'
-        if: ctx.host?.hostname != null
+        if: ctx.host?.hostname != null && ctx.host?.hostname != ''
         allow_duplicates: false
 on_failure:
   - append:
diff --git a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml
@@ -56,12 +56,12 @@ processors:
   - append:
         field: related.hosts
         value: '{{host.name}}'
-        if: ctx.host?.name != null
+        if: ctx.host?.name != null  && ctx.host?.name != ''
         allow_duplicates: false
   - append:
         field: related.hosts
         value: '{{host.hostname}}'
-        if: ctx.host?.hostname != null
+        if: ctx.host?.hostname != null && ctx.host?.hostname != ''
         allow_duplicates: false
 on_failure:
   - append:
diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
@@ -1550,22 +1550,22 @@ processors:
   - append:
       field: related.hosts
       value: "{{host.hostname}}"
-      if: ctx.host?.hostname != null
+      if: ctx.host?.hostname != null && ctx.host?.hostname != ''
       allow_duplicates: false
   - append:
       field: related.hosts
       value: "{{observer.hostname}}"
-      if: ctx.observer?.hostname != null
+      if: ctx.observer?.hostname != null && ctx.observer?.hostname != ''
       allow_duplicates: false
   - append:
       field: related.hosts
       value: "{{destination.domain}}"
-      if: ctx.destination?.domain != null
+      if: ctx.destination?.domain != null && ctx.destination?.domain != ''
       allow_duplicates: false
   - append:
       field: related.hosts
       value: "{{source.domain}}"
-      if: ctx.source?.domain != null
+      if: ctx.source?.domain != null && ctx.source?.domain != ''
       allow_duplicates: false
 on_failure:
   # Copy any fields under _temp_.cisco to its final destination. Those can help
diff --git a/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml b/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml
@@ -57,7 +57,7 @@ processors:
         field: related.hosts
         value: '{{server.domain}}'
         allow_duplicates: false
-        if: ctx?.server?.domain != null
+        if: ctx?.server?.domain != null && ctx.server?.domain != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml
@@ -57,12 +57,12 @@ processors:
         field: related.hosts
         value: '{{host.hostname server.domain}}'
         allow_duplicates: false
-        if: ctx?.host?.hostname != null
+        if: ctx?.host?.hostname != null && ctx.host?.hostname != ''
   - append:
         field: related.hosts
         value: '{{server.domain}}'
         allow_duplicates: false
-        if: ctx?.server?.domain != null
+        if: ctx?.server?.domain != null && ctx.server?.domain != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml
@@ -57,7 +57,7 @@ processors:
         field: related.hosts
         value: '{{host.name}}'
         allow_duplicates: false
-        if: ctx?.host?.name != null
+        if: ctx?.host?.name != null && ctx.host?.name != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml
@@ -57,7 +57,7 @@ processors:
         field: related.hosts
         value: '{{host.name}}'
         allow_duplicates: false
-        if: ctx?.host?.name != null
+        if: ctx?.host?.name != null && ctx.host?.name != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml
@@ -57,7 +57,7 @@ processors:
         field: related.hosts
         value: '{{rsa.web.fqdn}}'
         allow_duplicates: false
-        if: ctx?.rsa?.web?.fqdn != null
+        if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml
@@ -57,12 +57,12 @@ processors:
         field: related.hosts
         value: '{{host.name}}'
         allow_duplicates: false
-        if: ctx?.host?.name != null
+        if: ctx?.host?.name != null && ctx.host?.name != ''
   - append:
         field: related.hosts
         value: '{{server.domain}}'
         allow_duplicates: false
-        if: ctx?.server?.domain != null
+        if: ctx?.server?.domain != null && ctx.server?.domain != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml
@@ -57,7 +57,7 @@ processors:
         field: related.hosts
         value: '{{server.domain}}'
         allow_duplicates: false
-        if: ctx?.server?.domain != null
+        if: ctx?.server?.domain != null && ctx.server?.domain != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml
@@ -57,7 +57,7 @@ processors:
         field: related.hosts
         value: '{{host.name}}'
         allow_duplicates: false
-        if: ctx?.host?.name != null
+        if: ctx?.host?.name != null && ctx.host?.name != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml
@@ -57,7 +57,7 @@ processors:
         field: related.hosts
         value: '{{host.hostname}}'
         allow_duplicates: false
-        if: ctx?.host?.hostname != null
+        if: ctx?.host?.hostname != null && ctx.host?.hostname != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml
@@ -57,12 +57,12 @@ processors:
         field: related.hosts
         value: '{{host.name}}'
         allow_duplicates: false
-        if: ctx?.host?.name != null
+        if: ctx?.host?.name != null && ctx.host?.name != ''
   - append:
         field: related.hosts
         value: '{{rsa.misc.event_source}}'
         allow_duplicates: false
-        if: ctx?.rsa?.misc?.event_source != null
+        if: ctx?.rsa?.misc?.event_source != null && ctx.rsa?.misc?.event_source != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml
@@ -57,12 +57,12 @@ processors:
         field: related.hosts
         value: '{{host.hostname}}'
         allow_duplicates: false
-        if: ctx?.host?.hostname
+        if: ctx?.host?.hostname && ctx.host?.hostname != ''
   - append:
         field: related.hosts
         value: '{{server.domain}}'
         allow_duplicates: false
-        if: ctx?.server?.domain
+        if: ctx?.server?.domain && ctx.server?.domain != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml
@@ -282,7 +282,7 @@ processors:
 - append:
     field: related.hosts
     value: '{{host.hostname}}'
-    if: ctx.host?.hostname != null
+    if: ctx.host?.hostname != null && ctx.host?.hostname != ''
     allow_duplicates: false
 
 #############
diff --git a/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml
@@ -57,12 +57,12 @@ processors:
         field: related.hosts
         value: '{{host.hostname}}'
         allow_duplicates: false
-        if: ctx?.host?.hostname != null
+        if: ctx?.host?.hostname != null && ctx.host?.hostname != ''
   - append:
         field: related.hosts
         value: '{{source.address}}'
         allow_duplicates: false
-        if: ctx?.source?.address != null
+        if: ctx?.source?.address != null && ctx.source?.address != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -475,7 +475,7 @@ processors:
  - append:
      field: related.hosts
      value: "{{observer.hostname}}"
-     if: "ctx?.observer?.hostname != null"
+     if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''"
      allow_duplicates: false
 
 # Remove temporary fields.
diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml
@@ -57,12 +57,12 @@ processors:
         field: related.hosts
         value: '{{host.name}}'
         allow_duplicates: false
-        if: ctx?.host?.name != null
+        if: ctx?.host?.name != null && ctx.host?.name != ''
   - append:
         field: related.hosts
         value: '{{destination.address}}'
         allow_duplicates: false
-        if: ctx?.destination?.address != null
+        if: ctx?.destination?.address != null && ctx.destination?.address != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml
@@ -57,7 +57,7 @@ processors:
         field: related.hosts
         value: '{{host.name}}'
         allow_duplicates: false
-        if: ctx?.host?.name != null
+        if: ctx?.host?.name != null && ctx.host?.name != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml
@@ -57,22 +57,22 @@ processors:
         field: related.hosts
         value: '{{host.name}}'
         allow_duplicates: false
-        if: ctx?.host?.name != null
+        if: ctx?.host?.name != null && ctx.host?.name != ''
   - append:
         field: related.hosts
         value: '{{host.hostname}}'
         allow_duplicates: false
-        if: ctx?.host?.hostname != null
+        if: ctx?.host?.hostname != null && ctx.host?.hostname != ''
   - append:
         field: related.hosts
         value: '{{source.address}}'
         allow_duplicates: false
-        if: ctx?.source?.address != null
+        if: ctx?.source?.address != null && ctx.source?.address != ''
   - append:
         field: related.hosts
         value: '{{destination.address}}'
         allow_duplicates: false
-        if: ctx?.destination?.address != null
+        if: ctx?.destination?.address != null && ctx.destination?.address != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml
diff --git a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml
diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml
diff --git a/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml b/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml
diff --git a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml
diff --git a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml

Original file line number	Diff line number	Diff line change
`@@ -211,7 +211,7 @@`
`211`	`211`	`"append": {`
`212`	`212`	`"field": "related.hosts",`
`213`	`213`	`"value": "{{host.hostname}}",`
`214`		`- "if": "ctx?.host?.hostname != null",`
	`214`	`+ "if": "ctx?.host?.hostname != null && ctx.host?.hostname != ''",`
`215`	`215`	`"allow_duplicates": false`
`216`	`216`	`}`
`217`	`217`	`}`