utmstack
diff --git a/‎filters/cisco/asa.yml‎
Lines changed: 2 additions & 2 deletions b/‎filters/cisco/asa.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎filters/cisco/cs_switch.yml‎
Lines changed: 6 additions & 6 deletions b/‎filters/cisco/cs_switch.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎filters/cisco/firepower.yml‎
Lines changed: 4 additions & 4 deletions b/‎filters/cisco/firepower.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎filters/cisco/meraki.yml‎
Lines changed: 2 additions & 2 deletions b/‎filters/cisco/meraki.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎filters/deceptivebytes/deceptive-bytes.yml‎
Lines changed: 2 additions & 13 deletions b/‎filters/deceptivebytes/deceptive-bytes.yml‎
Lines changed: 2 additions & 13 deletions
@@ -5723,12 +5723,12 @@ pipeline:
           from:
             - log.tmpIp
           to: origin.ip
-          where: log.messageId==733101 && action.contains("attacking")
+          where: log.messageId==733101 && contains("action", "attacking")
       - rename:
           from:
             - log.tmpIp
           to: target.ip
-          where: log.messageId==733101 && action.contains("targeted")
+          where: log.messageId==733101 && contains("action", "targeted")
       # Adding action result
       - add:
           function: 'string'
 
@@ -52,7 +52,7 @@ pipeline:
             - fieldName: log.ciscoMsg
               pattern: '{{.greedy}}'
           source: log.msg
-          where: '(log.msg.contains("-MSG:SLOT") == false) && (log.msg.contains("-MSG: SLOT") == false)'
+          where: '(!contains("log.msg", "-MSG:SLOT")) && (!contains("log.msg", "-MSG: SLOT"))'
       # Extracting subfacility if present
       - grok:
           patterns:
@@ -61,7 +61,7 @@ pipeline:
             - fieldName: log.severity
               pattern: '{{.integer}}'
           source: log.severity
-          where: '(log.msg.contains("-MSG:SLOT") == false) && (log.msg.contains("-MSG: SLOT") == false)'
+          where: '(!contains("log.msg", "-MSG:SLOT")) && (!contains("log.msg", "-MSG: SLOT"))'
       # --------------------------
       # Variant -> %CARD-SEVERITY-MSG:SLOT %FACILITY-SEVERITY-MNEMONIC: Message-text
       - grok:
@@ -79,14 +79,14 @@ pipeline:
             - fieldName: log.ciscoMsg
               pattern: '{{.greedy}}'
           source: log.msg
-          where: 'log.msg.contains("-MSG:SLOT") || log.msg.contains("-MSG: SLOT")'
+          where: 'contains("log.msg", "-MSG:SLOT") || contains("log.msg", "-MSG: SLOT")'
 
       - trim:
           function: prefix
           substring: '%'
           fields:
             - log.tmpFacilityMnemonic
-          where: 'log.msg.contains("-MSG:SLOT") || log.msg.contains("-MSG: SLOT")'
+          where: 'contains("log.msg", "-MSG:SLOT") || contains("log.msg", "-MSG: SLOT")'
       # %FACILITY-SEVERITY-MNEMONIC
       - grok:
           patterns:
@@ -97,7 +97,7 @@ pipeline:
             - fieldName: log.facilityMnemonic
               pattern: '{{.data}}\:'
           source: log.tmpFacilityMnemonic
-          where: 'log.msg.contains("-MSG:SLOT") || log.msg.contains("-MSG: SLOT")'
+          where: 'contains("log.msg", "-MSG:SLOT") || contains("log.msg", "-MSG: SLOT")'
       # Extracting subfacility if present
       - grok:
           patterns:
@@ -106,7 +106,7 @@ pipeline:
             - fieldName: log.severity
               pattern: '{{.integer}}'
           source: log.severity
-          where: 'log.msg.contains("-MSG:SLOT") || log.msg.contains("-MSG: SLOT")'
+          where: 'contains("log.msg", "-MSG:SLOT") || contains("log.msg", "-MSG: SLOT")'
 
       # Cleaning common fields
       - trim:
 
@@ -4947,12 +4947,12 @@ pipeline:
           from:
             - log.tmpIp
           to: origin.ip
-          where: equals("log.messageId", 733101) && action.contains("attacking")
+          where: equals("log.messageId", 733101) && contains("action", "attacking")
       - rename:
           from:
             - log.tmpIp
           to: target.ip
-          where: equals("log.messageId", 733101) && action.contains("targeted")
+          where: equals("log.messageId", 733101) && contains("action", "targeted")
       # Adding action result
       - add:
           function: 'string'
@@ -4978,13 +4978,13 @@ pipeline:
           params:
             key: action
             value: 'Threat-detection add host to shun list'
-          where: (equals("log.messageId", 733102) || log.messageId==733103) && log.msg.contains("add")
+          where: (equals("log.messageId", 733102) || log.messageId==733103) && contains("log.msg", "add")
       - add:
           function: 'string'
           params:
             key: action
             value: 'Threat-detection removes host to shun list'
-          where: (equals("log.messageId", 733102) || log.messageId==733103) && log.msg.contains("removes")
+          where: (equals("log.messageId", 733102) || log.messageId==733103) && contains("log.msg", "removes")
       #......................................................................#
       # Decoding severity
       - add:
 
@@ -346,13 +346,13 @@ pipeline:
           params:
             key: actionResult
             value: 'accepted'
-          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows" && (log.pattern.startsWith("0") || log.pattern.startsWith("allow") || log.pattern.startsWith("Allow"))'
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows" && (startsWith("log.pattern", "0") || startsWith("log.pattern", "allow") || startsWith("log.pattern", "Allow"))'
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'denied'
-          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows" && (log.pattern.startsWith("deny") || log.pattern.startsWith("Deny"))'
+          where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows" && (startsWith("log.pattern", "deny") || startsWith("log.pattern", "Deny"))'
       # ........................................
       # Event: ids-alerts, ids signature matched in Meraki MX Security Appliance
       - grok:
 
@@ -240,17 +240,6 @@ pipeline:
               pattern: '{{.integer}}\s'
             - fieldName: log.component
               pattern: '{{.word}}\,'
-            - fieldName: log.errorCode
-              pattern: '{{.integer}}\]'
-            - fieldName: log.message
-              pattern: '{{.greedy}}'
-          source: log.restMessage
-          where: log.restMessage.contains("file")
-
-      - grok:
-          patterns:
-            - fieldName: log.severityLabelCharacter
-              pattern: '{{.word}}\s'
             - fieldName: log.trheadId
               pattern: '{{.integer}}\,'
             - fieldName: log.eventSource
@@ -262,7 +251,7 @@ pipeline:
             - fieldName: origin.path
               pattern: '(?:[A-Z]:\\(?:[^\\\n]+\\)*[^\\\n]*|\/(?:[^\/\n]+\/)*[^\/\n]*)'
           source: log.restMessage
-          where: log.severityLabelCharacter.contains("V")
+          where: contains("log.severityLabelCharacter", "V")
 
       - grok:
           patterns:
@@ -350,7 +339,7 @@ pipeline:
             - fieldName: log.irrelevant
               pattern: '{{.greedy}}'
           source: raw
-          where: log.severityLabelCharacter.contains("W")
+          where: contains("log.severityLabelCharacter", "W")
 
       # Removing unnecessary characters
       - trim: