x-pack/filebeat/module/cef/log/ingest/pipeline.yml

---
description: Pipeline for Filebeat CEF

processors:
  # IP Geolocation Lookup
  - geoip:
        field: source.ip
        target_field: source.geo
        ignore_missing: true
  - geoip:
        field: destination.ip
        target_field: destination.geo
        ignore_missing: true

  # IP Autonomous System (AS) Lookup
  - geoip:
        database_file: GeoLite2-ASN.mmdb
        field: source.ip
        target_field: source.as
        properties:
            - asn
            - organization_name
        ignore_missing: true
  - geoip:
        database_file: GeoLite2-ASN.mmdb
        field: destination.ip
        target_field: destination.as
        properties:
            - asn
            - organization_name
        ignore_missing: true
  - rename:
        field: source.as.asn
        target_field: source.as.number
        ignore_missing: true
  - rename:
        field: source.as.organization_name
        target_field: source.as.organization.name
        ignore_missing: true
  - rename:
        field: destination.as.asn
        target_field: destination.as.number
        ignore_missing: true
  - rename:
        field: destination.as.organization_name
        target_field: destination.as.organization.name
        ignore_missing: true
  - append:
        field: related.hash
        value: "{{cef.extensions.fileHash}}"
        if: "ctx?.cef?.extensions?.fileHash != null"
  - append:
        field: related.hash
        value: "{{cef.extensions.oldFileHash}}"
        if: "ctx?.cef?.extensions?.oldFileHash != null"
  - append:
        field: related.ip
        value: "{{destination.ip}}"
        if: "ctx?.destination?.ip != null"
  - append:
        field: related.ip
        value: "{{destination.nat.ip}}"
        if: "ctx?.destination?.nat?.ip != null"
  - append:
        field: related.ip
        value: "{{source.ip}}"
        if: "ctx?.source?.ip != null"
  - append:
        field: related.ip
        value: "{{source.nat.ip}}"
        if: "ctx?.source?.nat?.ip != null"
  - append:
        field: related.user
        value: "{{destination.user.name}}"
        if: "ctx?.destination?.user?.name != null"
  - append:
        field: related.user
        value: "{{source.user.name}}"
        if: "ctx?.source?.user?.name != null"
  - pipeline:
        name: '{< IngestPipeline "fp-pipeline" >}'
        if: "ctx.cef?.device?.vendor == 'FORCEPOINT'"
on_failure:
  - set:
        field: error.message
        value: "{{ _ingest.on_failure_message }}"