Modifying some of the type references.

This commit is contained in:
Phrozyn 2019-04-09 11:09:49 -05:00
Родитель 4ea91f7ac0
Коммит ff20881548
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: DBCDDDC9CF758282
3 изменённых файлов: 5 добавлений и 8 удалений

Просмотреть файл

@ -221,6 +221,7 @@ def keyMapping(aDict):
elif k in ('type', 'eventtype', 'category'): elif k in ('type', 'eventtype', 'category'):
returndict[u'category'] = toUnicode(v) returndict[u'category'] = toUnicode(v)
returndict[u'type'] = 'cloudtrail'
# custom fields as a list/array # custom fields as a list/array
elif k in ('fields', 'details'): elif k in ('fields', 'details'):
@ -257,10 +258,7 @@ def keyMapping(aDict):
if 'utctimestamp' not in returndict: if 'utctimestamp' not in returndict:
# default in case we don't find a reasonable timestamp # default in case we don't find a reasonable timestamp
returndict['utctimestamp'] = toUTC(datetime.now()).isoformat() returndict['utctimestamp'] = toUTC(datetime.now()).isoformat()
if 'type' not in returndict:
# default replacement for old _type subcategory.
# to preserve filtering capabilities
returndict['type'] = 'cloudtrail'
except Exception as e: except Exception as e:
logger.exception(e) logger.exception(e)
logger.error('Malformed message: %r' % aDict) logger.error('Malformed message: %r' % aDict)

Просмотреть файл

@ -64,9 +64,8 @@ class message(object):
if not self.validate(message['details']): if not self.validate(message['details']):
logger.error('Invalid format for complianceitem {0}'.format(message)) logger.error('Invalid format for complianceitem {0}'.format(message))
return (None, None) return (None, None)
if 'type' not in message: # add type subcategory for filtering
# add type subcategory for filtering message['type'] = 'last_known_state'
message['type'] = 'last_known_state'
item = self.cleanup_item(message['details']) item = self.cleanup_item(message['details'])
docidstr = 'complianceitems' docidstr = 'complianceitems'

Просмотреть файл

@ -77,7 +77,7 @@ class message(object):
newmessage = dict() newmessage = dict()
# Set NSM as type for categorical filtering of events. # Set NSM as type for categorical filtering of events.
newmessage["type"] = "nsm" newmessage["type"] = "squid"
newmessage[u"mozdefhostname"] = self.mozdefhostname newmessage[u"mozdefhostname"] = self.mozdefhostname
newmessage["details"] = {} newmessage["details"] = {}