diff --git a/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json b/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json index dbe6f2015..765c7b0e3 100644 --- a/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json +++ b/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json @@ -329,9 +329,9 @@ "updated_at": "2022-01-12T18:22:26.156Z", "version": "WzI0NCwxXQ==", "attributes": { - "visState": "{\"title\":\"Intel - Matched\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"threat.indicator.type\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type Matched\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Intel - Indicator Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"threat.indicator.type\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type Matched\"}}],\"listeners\":{}}", "description": "", - "title": "Intel - Matched", + "title": "Intel - Indicator Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { diff --git a/logstash/pipelines/zeek/1300_zeek_normalize.conf b/logstash/pipelines/zeek/1300_zeek_normalize.conf index d81d1bc80..5920ef8c4 100644 --- a/logstash/pipelines/zeek/1300_zeek_normalize.conf +++ b/logstash/pipelines/zeek/1300_zeek_normalize.conf @@ -12,7 +12,7 @@ filter { id => "ruby_map_zeek_intel_confidence" code => " if (confNumVal = event.get('[zeek][intel][cif_confidence]').to_f) then - confStrVal = case value + confStrVal = case confNumVal when 0...3 'Low' when 3...7 @@ -22,7 +22,7 @@ filter { else 'None' end - event.set('[threat][indicator][confidence]', confStrVal)" + event.set('[threat][indicator][confidence]', confStrVal) end" } } @@ -119,6 +119,15 @@ filter { mutate { id => "mutate_merge_zeek_intel_indicator_types_matched" merge => { "[threat][indicator][type]" => "[@metadata][intel_indicator_types_matched]" } } } + if ([threat][indicator][type]) { + ruby { + id => "ruby_threat_indicator_type_uniq" + path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" + script_params => { + "field" => "[threat][indicator][type]" + } + } + } # zeek.intel.sources -> threat.indicator.provider if ([zeek][intel][sources]) { diff --git a/logstash/pipelines/zeek/1400_zeek_convert.conf b/logstash/pipelines/zeek/1400_zeek_convert.conf index 424e82e29..4960e8022 100644 --- a/logstash/pipelines/zeek/1400_zeek_convert.conf +++ b/logstash/pipelines/zeek/1400_zeek_convert.conf @@ -473,7 +473,7 @@ filter { id => "date_zeek_intel_cif_firstseen" match => [ "[zeek][intel][cif_firstseen]", "UNIX" ] target => "[threat][indicator][first_seen]" - remove_field => [ "[zeek][intel][cif_firstseen]" + remove_field => [ "[zeek][intel][cif_firstseen]" ] } } } @@ -486,7 +486,7 @@ filter { id => "date_zeek_intel_cif_lastseen" match => [ "[zeek][intel][cif_lastseen]", "UNIX" ] target => "[threat][indicator][last_seen]" - remove_field => [ "[zeek][intel][cif_lastseen]" + remove_field => [ "[zeek][intel][cif_lastseen]" ] } } }