File tree Expand file tree Collapse file tree
x-pack/filebeat/module/threatintel
anomalithreatstream/ingest Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -42,11 +42,11 @@ processors:
4242 field : threatintel.abuseurl.url
4343 target_field : threatintel.indicator.url
4444 keep_original : true
45- - rename :
46- field : threatintel.abuseurl.url
47- target_field : threatintel.indicator.url.full
48- ignore_missing : true
49- if : ctx?.threatintel?.abuseurl?.url != null
45+ remove_if_successful : true
46+ - set :
47+ field : threatintel.indicator.url.full
48+ copy_from : threatintel.indicator.url.original
49+ ignore_empty_value : true
5050- rename :
5151 field : threatintel.abuseurl.host
5252 target_field : threatintel.indicator.domain
Original file line number Diff line number Diff line change @@ -80,12 +80,12 @@ processors:
8080 field : _tmp.threatvalue
8181 target_field : threatintel.indicator.url
8282 keep_original : true
83+ remove_if_successful : true
8384 if : ctx?.threatintel?.indicator?.type == 'url'
84- - rename :
85- field : _tmp.threatvalue
86- target_field : threatintel.indicator.url.full
87- ignore_missing : true
88- if : ctx?.threatintel?.indicator?.type == 'url'
85+ - set :
86+ field : threatintel.indicator.url.full
87+ copy_from : threatintel.indicator.url.original
88+ ignore_empty_value : true
8989- rename :
9090 field : _tmp.threatvalue
9191 target_field : threatintel.indicator.email.address
Original file line number Diff line number Diff line change @@ -256,16 +256,17 @@ processors:
256256 field : json.url
257257 target_field : threatintel.indicator.url
258258 keep_original : true
259+ remove_if_successful : true
259260 if : ' ctx.json.url != null'
260261 on_failure :
261262 - append :
262263 field : error.message
263264 value : ' Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}'
264- - rename :
265- field : json.url
266- target_field : threatintel.indicator.url.full
267- ignore_missing : true
268- if : ' ctx.json.url != null '
265+
266+ - set :
267+ field : threatintel.indicator.url.full
268+ copy_from : threatintel.indicator.url.original
269+ ignore_empty_value : true
269270
270271- rename :
271272 field : json.country
Original file line number Diff line number Diff line change @@ -134,11 +134,13 @@ processors:
134134 field : threatintel.misp.attribute.value
135135 target_field : threatintel.indicator.url
136136 keep_original : true
137+ remove_if_successful : true
137138 if : ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri'
138- - rename :
139- field : threatintel.misp.attribute.value
140- target_field : threatintel.indicator.url.full
141- ignore_missing : true
139+
140+ - set :
141+ field : threatintel.indicator.url.full
142+ copy_from : threatintel.indicator.url.original
143+ ignore_empty_value : true
142144 if : " ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri'"
143145
144146# # Regkey indicator operations
Original file line number Diff line number Diff line change @@ -83,11 +83,12 @@ processors:
8383 field : threatintel.otx.indicator
8484 target_field : threatintel.indicator.url
8585 keep_original : true
86+ remove_if_successful : true
8687 if : ctx?.threatintel?.indicator?.type == 'url'
87- - rename :
88- field : threatintel.otx. indicator
89- target_field : threatintel.indicator.url.full
90- ignore_missing : true
88+ - set :
89+ field : threatintel.indicator.url.full
90+ copy_from : threatintel.indicator.url.original
91+ ignore_empty_value : true
9192 if : " ctx?.threatintel?.otx?.type == 'URL'"
9293
9394# # Email indicator operations
You can’t perform that action at this time.
0 commit comments