Skip to content

Commit b23c9ac

Browse files
osmonteroosmontero
committed
refactor: Update filter configurations to use new expression functions like oneOf, equals, and contains for conditional logic.
1 parent 19ca2c6 commit b23c9ac

21 files changed

Lines changed: 1044 additions & 1044 deletions

filters/antivirus/esmc-eset.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -90,21 +90,21 @@ pipeline:
9090
params:
9191
key: severity
9292
value: 'low'
93-
where: safe("log.severity", "") in ["INFO", "Info"]
93+
where: oneOf("log.severity", ["INFO", "Info"])
9494

9595
- add:
9696
function: 'string'
9797
params:
9898
key: severity
9999
value: 'medium'
100-
where: safe("log.severity", "") in ["WARNING", "Warning"]
100+
where: oneOf("log.severity", ["WARNING", "Warning"])
101101

102102
- add:
103103
function: 'string'
104104
params:
105105
key: severity
106106
value: 'high'
107-
where: safe("log.severity", "") in ["ERROR", "Error"]
107+
where: oneOf("log.severity", ["ERROR", "Error"])
108108

109109
# Adding geolocation to origin.ip
110110
- dynamic:

filters/azure/azure-eventhub.yml

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -611,19 +611,19 @@ pipeline:
611611
params:
612612
key: severity
613613
value: 'high'
614-
where: safe("log.level", "") in ["ERROR", "Error", "FATAL", "CRITICAL", "Critical"]
614+
where: oneOf("log.level", ["ERROR", "Error", "FATAL", "CRITICAL", "Critical"])
615615
- add:
616616
function: 'string'
617617
params:
618618
key: severity
619619
value: 'medium'
620-
where: safe("log.level", "") in ["WARN", "Warning"]
620+
where: oneOf("log.level", ["WARN", "Warning"])
621621
- add:
622622
function: 'string'
623623
params:
624624
key: severity
625625
value: 'low'
626-
where: safe("log.level", "") in ["Information", "Informational", "INFO", "DEBUG", "TRACE"]
626+
where: oneOf("log.level", ["Information", "Informational", "INFO", "DEBUG", "TRACE"])
627627

628628
# .......................................................................#
629629
# Add geolocation to remote.ip
@@ -643,37 +643,37 @@ pipeline:
643643
params:
644644
key: action
645645
value: 'get'
646-
where: safe("log.propertiesRequestMethod", "") == "GET"
646+
where: equals("log.propertiesRequestMethod", "GET")
647647
- add:
648648
function: 'string'
649649
params:
650650
key: action
651651
value: 'post'
652-
where: safe("log.propertiesRequestMethod", "") == "POST"
652+
where: equals("log.propertiesRequestMethod", "POST")
653653
- add:
654654
function: 'string'
655655
params:
656656
key: action
657657
value: 'put'
658-
where: safe("log.propertiesRequestMethod", "") == "PUT"
658+
where: equals("log.propertiesRequestMethod", "PUT")
659659
- add:
660660
function: 'string'
661661
params:
662662
key: action
663663
value: 'delete'
664-
where: safe("log.propertiesRequestMethod", "") == "DELETE"
664+
where: equals("log.propertiesRequestMethod", "DELETE")
665665
- add:
666666
function: 'string'
667667
params:
668668
key: action
669669
value: 'patch'
670-
where: safe("log.propertiesRequestMethod", "") == "PATCH"
670+
where: equals("log.propertiesRequestMethod", "PATCH")
671671
- add:
672672
function: 'string'
673673
params:
674674
key: action
675675
value: 'request'
676-
where: safe("log.propertiesRequestMethod", "") == "REQUEST"
676+
where: equals("log.propertiesRequestMethod", "REQUEST")
677677

678678
# .......................................................................#
679679
# Removing log.propertiesRequestMethod if action was set
@@ -716,4 +716,4 @@ pipeline:
716716
params:
717717
key: actionResult
718718
value: 'accepted'
719-
where: safe("statusCode", 0.0) >= double(200) && safe("statusCode", 0.0) <= double(299) || (safe("statusCode", 0.0) >= double(300) && safe("statusCode", 0.0) <= double(399) && safe("origin.bytesReceived", 0.0) > double(0))
719+
where: (greaterOrEqual("statusCode", 200) && lessOrEqual("statusCode", 299)) || (greaterOrEqual("statusCode", 300) && lessOrEqual("statusCode", 399) && greaterThan("origin.bytesReceived", 0))

filters/cisco/asa.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -314,14 +314,14 @@ pipeline:
314314
params:
315315
key: actionResult
316316
value: 'accepted'
317-
where: safe("actionResult", "") && (safe("log.messageId", 0.0) == double(106102) || safe("log.messageId", 0.0) == double(106103)) && (safe("actionResult", "") == "Permitted" || safe("actionResult", "") == "permitted")
317+
where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && equalsIgnoreCase("actionResult", "Permitted")
318318
# Adding action result
319319
- add:
320320
function: 'string'
321321
params:
322322
key: actionResult
323323
value: 'denied'
324-
where: safe("actionResult", "") && (safe("log.messageId", 0.0) == double(106102) || safe("log.messageId", 0.0) == double(106103)) && (safe("actionResult", "") != "Permitted" && safe("actionResult", "") != "permitted")
324+
where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && !equalsIgnoreCase("actionResult", "Permitted")
325325
#......................................................................#
326326
# ASA-4-109017
327327
- grok:
@@ -5754,21 +5754,21 @@ pipeline:
57545754
params:
57555755
key: action
57565756
value: 'Threat-detection add host to shun list'
5757-
where: (safe("log.messageId", 0.0)==double(733102) || safe("log.messageId", 0.0)==double(733103)) && safe("log.msg", "").contains("add")
5757+
where: (equals("log.messageId", 733102) || equals("log.messageId", 733103)) && contains("log.msg", "add")
57585758
- add:
57595759
function: 'string'
57605760
params:
57615761
key: action
57625762
value: 'Threat-detection removes host to shun list'
5763-
where: (safe("log.messageId", 0.0)==double(733102) || safe("log.messageId", 0.0)==double(733103)) && safe("log.msg", "").contains("removes")
5763+
where: (equals("log.messageId", 733102) || equals("log.messageId", 733103)) && contains("log.msg", "removes")
57645764
#......................................................................#
57655765
# Decoding severity
57665766
- add:
57675767
function: 'string'
57685768
params:
57695769
key: severity
57705770
value: 'high'
5771-
where: safe("log.severity", "") in ["1", "2", "3"]
5771+
where: oneOf("log.severity", ["1", "2", "3"])
57725772
- add:
57735773
function: 'string'
57745774
params:
@@ -5780,7 +5780,7 @@ pipeline:
57805780
params:
57815781
key: severity
57825782
value: 'low'
5783-
where: safe("log.severity", "") in ["5", "6", "7"]
5783+
where: oneOf("log.severity", ["5", "6", "7"])
57845784
#......................................................................#
57855785
# Adding common geolocation
57865786
- dynamic:

filters/cisco/cs_switch.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -139,7 +139,7 @@ pipeline:
139139
params:
140140
key: severity
141141
value: 'high'
142-
where: safe("log.severity", "") in ["0", "1", "2", "3"]
142+
where: oneOf("log.severity", ["0", "1", "2", "3"])
143143
- add:
144144
function: 'string'
145145
params:
@@ -151,7 +151,7 @@ pipeline:
151151
params:
152152
key: severity
153153
value: 'low'
154-
where: safe("log.severity", "") in ["5", "6", "7"]
154+
where: oneOf("log.severity", ["5", "6", "7"])
155155
#......................................................................#
156156
# Removing unused fields
157157
- delete:

0 commit comments

Comments
 (0)