From 85030ca0f6c9cb855b966ee82e389c71995f03b6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 8 Nov 2023 00:47:46 +0100 Subject: [PATCH 1/2] Update windows.py --- sigma/pipelines/elasticsearch/windows.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sigma/pipelines/elasticsearch/windows.py b/sigma/pipelines/elasticsearch/windows.py index e93b280..9638c29 100644 --- a/sigma/pipelines/elasticsearch/windows.py +++ b/sigma/pipelines/elasticsearch/windows.py @@ -71,7 +71,7 @@ def ecs_windows() -> ProcessingPipeline: return ProcessingPipeline( name="Elastic Common Schema (ECS) Windows log mappings from Winlogbeat from version 7", priority=20, - allowed_backends=("lucene", "opensearch"), + allowed_backends=("elasticsearch", "lucene", "opensearch"), items=generate_windows_logsource_items("winlog.channel", "{source}") + [ # Variable field mappinga depending on category/service ProcessingItem( identifier=f"elasticsearch_windows-{field}-{logsrc_field}-{logsrc}", @@ -189,7 +189,7 @@ def ecs_windows_old() -> ProcessingPipeline: return ProcessingPipeline( name="Elastic Common Schema (ECS) Windows log mappings from Winlogbeat up to version 6", priority=20, - allowed_backends=("lucene", "opensearch"), + allowed_backends=("elasticsearch", "lucene", "opensearch"), items=generate_windows_logsource_items("winlog.channel", "{source}") + [ ProcessingItem( # Field mappings identifier="ecs_windows_field_mapping", From 30559ab8994e605ed5477a44866cff3046138ac5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 8 Nov 2023 00:48:30 +0100 Subject: [PATCH 2/2] Update zeek.py --- sigma/pipelines/elasticsearch/zeek.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sigma/pipelines/elasticsearch/zeek.py b/sigma/pipelines/elasticsearch/zeek.py index d7b0695..9714736 100644 --- a/sigma/pipelines/elasticsearch/zeek.py +++ b/sigma/pipelines/elasticsearch/zeek.py @@ -16,7 +16,7 @@ def ecs_zeek_beats() -> ProcessingPipeline: return ProcessingPipeline( name="Elastic Common Schema (ECS) for Zeek using filebeat >= 7.6.1", priority=20, - allowed_backends=("lucene", "opensearch"), + allowed_backends=("elasticsearch", "lucene", "opensearch"), items=[ ProcessingItem( identifier=f"zeek_mapping_category_{ category }_to_service_{ service }", @@ -485,7 +485,7 @@ def ecs_zeek_corelight() -> ProcessingPipeline: return ProcessingPipeline( name="Elastic Common Schema (ECS) mapping from Corelight", priority=20, - allowed_backends=("lucene", "opensearch"), + allowed_backends=("elasticsearch", "lucene", "opensearch"), items=[ ProcessingItem( identifier=f"zeek_mapping_category_{ category }_to_service_{ service }", @@ -954,7 +954,7 @@ def zeek_raw() -> ProcessingPipeline: return ProcessingPipeline( name="Zeek raw JSON field naming", priority=20, - allowed_backends=("lucene", "opensearch"), + allowed_backends=("elasticsearch", "lucene", "opensearch"), items=[ ProcessingItem( identifier=f"zeek_mapping_category_{ category }_to_service_{ service }",