Skip to content

Commit

Permalink
Merge pull request #11232 from Security-Onion-Solutions/fix/strelka_e…
Browse files Browse the repository at this point in the history 
…ntropy

Strelka entropy mapping
  • Loading branch information
@weslambert
weslambert authored Aug 31, 2023
2 parents d86e21c + 0fed757 commit ce2a713
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 4 deletions.
4 changes: 2 additions & 2 deletions salt/elasticsearch/files/ingest/strelka.file
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,8 @@
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 50 && ctx.rule?.score <=69", "field": "event.severity", "value": 2, "override": true } },
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89", "field": "event.severity", "value": 3, "override": true } },
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90", "field": "event.severity", "value": 4, "override": true } },
{ "set": { "if": "ctx.scan?.entropy?.entropy == 0", "field": "scan.entropy.entropy", "value": "0.0", "override": true } },
{ "set": { "if": "ctx.scan?.pe?.image_version == 0", "field": "scan.pe.image_version", "value": "0.0", "override": true } },
{ "set": { "if": "ctx.scan?.entropy?.entropy == '0'", "field": "scan.entropy.entropy", "value": "0.0", "override": true } },
{ "set": { "if": "ctx.scan?.pe?.image_version == '0'", "field": "scan.pe.image_version", "value": "0.0", "override": true } },
{ "set": { "field": "observer.name", "value": "{{agent.name}}" }},
{ "convert" : { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
{ "remove": { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"], "ignore_missing": true } },
Expand Down
11 changes: 9 additions & 2 deletions salt/elasticsearch/templates/component/so/so-scan-mappings.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,17 @@
}
}
}
}
},
"entropy": {
"properties": {
"entropy": {
"type": "float"
}
}
}
}
}
}
}
}
}
}

0 comments on commit ce2a713

Please sign in to comment.