move remaiing winlog to event.original string and updated ad users da…

…ta set
Cargill · Dec 15, 2023 · e2ff450 · e2ff450
1 parent db45cb8
commit e2ff450
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/config/processors/api_list_ad_users.conf b/config/processors/api_list_ad_users.conf
@@ -13,8 +13,8 @@ filter {
   }
   mutate{
     add_field => {
-      "[event][module]" => "azure"
-      "[event][dataset]" => "azure.directory_users"
+      "[event][module]" => "active_directory"
+      "[event][dataset]" => "active_directory.users"
       "[log][source][hostname]" => "%{[agent][name]}"
     }
   }

diff --git a/config/processors/wef_audit_windows.events.conf b/config/processors/wef_audit_windows.events.conf
@@ -373,9 +373,15 @@ filter {
       }
     }
   }
+
+  # Copy any thing not mapped form "[winlog]" to [event][original] string  
+  ruby {
+    code => 'event.set("[event][original]", event.get("[winlog]").to_s)'
+  }
   mutate {
     remove_field => [ "[winlog]", "ecs", "tmp", "type", "ticket_encrypt", "ticket_option", "[fields]", "failure_code" ]
   }
+
 }
 output {
   pipeline { send_to => [enrichments] }