diff --git a/config/enrichments/92_misp.conf b/config/enrichments/92_misp.conf index 01939f50..c725b368 100644 --- a/config/enrichments/92_misp.conf +++ b/config/enrichments/92_misp.conf @@ -24,7 +24,7 @@ filter { } if "memcached_get_success_process.hash.md5" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_process.hash.md5"] } json { @@ -49,7 +49,7 @@ filter { } if "memcached_get_success_process.parent.hash.md5" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_process.parent.hash.md5"] } json { @@ -74,7 +74,7 @@ filter { } if "memcached_get_success_file.hash.md5" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_file.hash.md5"] } json { @@ -99,7 +99,7 @@ filter { } if "memcached_get_success_file.hash.sha1" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_file.hash.sha1"] } json { @@ -124,7 +124,7 @@ filter { } if "memcached_get_success_file.hash.sha256" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_file.hash.sha256"] } json { @@ -149,7 +149,7 @@ filter { } if "memcached_get_success_file.hash.sha512" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_file.hash.sha512"] } json { @@ -174,7 +174,7 @@ filter { } if "memcached_get_success_file.name" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_file.name"] } json { @@ -204,7 +204,7 @@ filter { } if "memcached_get_success_file.name_file.hash.md5" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_file.name_file.hash.md5"] } json { @@ -234,7 +234,7 @@ filter { } if "memcached_get_success_file.name_file.hash.sha1" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_file.name_file.hash.sha1"] } json { @@ -264,7 +264,7 @@ filter { } if "memcached_get_success_file.name_file.hash.sha256" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_file.name_file.hash.sha256"] } json { @@ -294,7 +294,7 @@ filter { } if "memcached_get_success_file.name_file.hash.sha512" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_file.name_file.hash.sha512"] } json { @@ -319,7 +319,7 @@ filter { } if "memcached_get_success_source.ip" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_source.ip"] } json { @@ -344,7 +344,7 @@ filter { } if "memcached_get_success_destination.ip" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_destination.ip"] } json { @@ -369,7 +369,7 @@ filter { } if "memcached_get_success_destination.mac" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_destination.mac"] } json { @@ -394,7 +394,7 @@ filter { } if "memcached_get_success_host.hostname" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_host.hostname"] } json { @@ -419,7 +419,7 @@ filter { } if "memcached_get_success_observer.hostname" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_observer.hostname"] } json { @@ -444,7 +444,7 @@ filter { } if "memcached_get_success_log.source.hostname" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_log.source.hostname"] } json { @@ -469,7 +469,7 @@ filter { } if "memcached_get_success_host.mac" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_host.mac"] } json { @@ -494,7 +494,7 @@ filter { } if "memcached_get_success_url.domain" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_url.domain"] } json { @@ -524,7 +524,7 @@ filter { } if "memcached_get_success_url.domain_destination.ip" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_url.domain_destination.ip"] } json { @@ -549,7 +549,7 @@ filter { } if "memcached_get_success_url.full" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_url.full"] } json { @@ -574,7 +574,7 @@ filter { } if "memcached_get_success_http.request.method" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_http.request.method"] } json { @@ -599,7 +599,7 @@ filter { } if "memcached_get_success_user_agent.original" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_user_agent.original"] } json { @@ -624,7 +624,7 @@ filter { } if "memcached_get_success_tls.server.hash.md5" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_tls.server.hash.md5"] } json { @@ -649,7 +649,7 @@ filter { } if "memcached_get_success_registry.key" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_registry.key"] } json { @@ -679,7 +679,7 @@ filter { } if "memcached_get_success_registry.key_registry.value" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_registry.key_registry.value"] } json { @@ -704,7 +704,7 @@ filter { } if "memcached_get_success_source.as.organization.name" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_source.as.organization.name"] } json { @@ -729,7 +729,7 @@ filter { } if "memcached_get_success_file.mime_type" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_file.mime_type"] } json { @@ -754,7 +754,7 @@ filter { } if "memcached_get_success_user.id" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_user.id"] } json { @@ -779,7 +779,7 @@ filter { } if "memcached_get_success_http.cookie.name" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_http.cookie.name"] } json { @@ -804,7 +804,7 @@ filter { } if "memcached_get_success_vulnerability.reference" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_vulnerability.reference"] } json { @@ -829,7 +829,7 @@ filter { } if "memcached_get_success_file.path" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_file.path"] } json { @@ -855,7 +855,7 @@ filter { if "memcached_get_success_destination.user.name" in [tags] { mutate { remove_tag => ["memcached_get_success_destination.user.name"] - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] } json { source => "memcache_value" @@ -880,7 +880,7 @@ filter { if "memcached_get_success_host.user.name" in [tags] { mutate { remove_tag => ["memcached_get_success_host.user.name"] - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] } json { source => "memcache_value" @@ -905,7 +905,7 @@ filter { if "memcached_get_success_source.user.name" in [tags] { mutate { remove_tag => ["memcached_get_success_source.user.name"] - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] } json { source => "memcache_value" @@ -930,7 +930,7 @@ filter { if "memcached_get_success_user.name" in [tags] { mutate { remove_tag => ["memcached_get_success_user.name"] - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] } json { source => "memcache_value" @@ -955,7 +955,7 @@ filter { if "memcached_get_success_database.user.name" in [tags] { mutate { remove_tag => ["memcached_get_success_database.user.name"] - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] } json { source => "memcache_value" @@ -980,7 +980,7 @@ filter { if "memcached_get_success_client.user.name" in [tags] { mutate { remove_tag => ["memcached_get_success_client.user.name"] - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] } json { source => "memcache_value" @@ -1005,7 +1005,7 @@ filter { if "memcached_get_success_server.user.name" in [tags] { mutate { remove_tag => ["memcached_get_success_server.user.name"] - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] } json { source => "memcache_value" @@ -1029,7 +1029,7 @@ filter { } if "memcached_get_success_destination.user.email" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_destination.user.email"] } json { @@ -1054,7 +1054,7 @@ filter { } if "memcached_get_success_client.user.email" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_client.user.email"] } json { @@ -1079,7 +1079,7 @@ filter { } if "memcached_get_success_host.user.email" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_host.user.email"] } json { @@ -1104,7 +1104,7 @@ filter { } if "memcached_get_success_server.user.email" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_server.user.email"] } json { @@ -1129,7 +1129,7 @@ filter { } if "memcached_get_success_source.address" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_source.address"] } json { @@ -1154,7 +1154,7 @@ filter { } if "memcached_get_success_destination.address" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_destination.address"] } json { @@ -1179,7 +1179,7 @@ filter { } if "memcached_get_success_destination.as.organization.name" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_destination.as.organization.name"] } json { @@ -1204,7 +1204,7 @@ filter { } if "memcached_get_success_process.name" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_process.name"] } json { @@ -1229,7 +1229,7 @@ filter { } if "memcached_get_success_tls.server.hash.sha1" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_tls.server.hash.sha1"] } json { @@ -1254,7 +1254,7 @@ filter { } if "memcached_get_success_tls.server.hash.md5" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_tls.server.hash.md5"] } json { @@ -1279,7 +1279,7 @@ filter { } if "memcached_get_success_tls.server.hash.sha256" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_tls.server.hash.sha256"] } json { @@ -1304,7 +1304,7 @@ filter { } if "memcached_get_success_destination.port" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_destination.port"] } json { @@ -1334,7 +1334,7 @@ filter { } if "memcached_get_success_destination.ip_destination.port" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_destination.ip_destination.port"] } json { @@ -1364,7 +1364,7 @@ filter { } if "memcached_get_success_destination.address_destination.port" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_destination.address_destination.port"] } json { @@ -1389,7 +1389,7 @@ filter { } if "memcached_get_success_client.mac" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_client.mac"] } json { @@ -1414,7 +1414,7 @@ filter { } if "memcached_get_success_observer.mac" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_observer.mac"] } json { @@ -1439,7 +1439,7 @@ filter { } if "memcached_get_success_server.mac" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_server.mac"] } json { @@ -1464,7 +1464,7 @@ filter { } if "memcached_get_success_network.mac" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_network.mac"] } json { @@ -1489,7 +1489,7 @@ filter { } if "memcached_get_success_source.mac" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_source.mac"] } json { @@ -1514,7 +1514,7 @@ filter { } if "memcached_get_success_source.user.email" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_source.user.email"] } json { @@ -1539,7 +1539,7 @@ filter { } if "memcached_get_success_user.changes.email" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_user.changes.email"] } json { @@ -1564,7 +1564,7 @@ filter { } if "memcached_get_success_user.effective.email" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_user.effective.email"] } json { @@ -1589,7 +1589,7 @@ filter { } if "memcached_get_success_destination.user.email" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_destination.user.email"] } json { @@ -1614,7 +1614,7 @@ filter { } if "memcached_get_success_database.user.email" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_database.user.email"] } json { @@ -1639,7 +1639,7 @@ filter { } if "memcached_get_success_user.target.email" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_user.target.email"] } json { @@ -1664,7 +1664,7 @@ filter { } if "memcached_get_success_user.email" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_user.email"] } json { @@ -1689,7 +1689,7 @@ filter { } if "memcached_get_success_email.subject" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_email.subject"] } json { @@ -1714,7 +1714,7 @@ filter { } if "memcached_get_success_email.body" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_email.body"] } json { @@ -1739,7 +1739,7 @@ filter { } if "memcached_get_success_email.header" in [tags] { mutate { - add_tag => ["log_enriched_by_memcached"] + add_tag => ["log_enriched_by_misp"] remove_tag => ["memcached_get_success_email.header"] } json {