Skip to content

Commit 1157c93

Browse files
JocLRojasJocLRojas
committed
Update the use of 'has' to 'exists' in the 'where' blocks.
1 parent 90b7651 commit 1157c93

26 files changed

Lines changed: 537 additions & 537 deletions

filters/antivirus/bitdefender_gz.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -233,7 +233,7 @@ pipeline:
233233
params:
234234
source: origin.ip
235235
destination: origin.geolocation
236-
where: has(origin.ip)
236+
where: exists(origin.ip)
237237

238238
# Reformat and field conversions
239239
- cast:

filters/antivirus/esmc-eset.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -90,37 +90,37 @@ pipeline:
9090
params:
9191
key: severity
9292
value: 'low'
93-
where: has(log.severity) && ( log.severity=="INFO" || log.severity=="Info" )
93+
where: exists(log.severity) && ( log.severity=="INFO" || log.severity=="Info" )
9494

9595
- add:
9696
function: 'string'
9797
params:
9898
key: severity
9999
value: 'medium'
100-
where: has(log.severity) && (log.severity=="WARNING" || log.severity=="Warning")
100+
where: exists(log.severity) && (log.severity=="WARNING" || log.severity=="Warning")
101101

102102
- add:
103103
function: 'string'
104104
params:
105105
key: severity
106106
value: 'high'
107-
where: has(log.severity) && (log.severity=="ERROR" || log.severity=="Error")
107+
where: exists(log.severity) && (log.severity=="ERROR" || log.severity=="Error")
108108

109109
# Adding geolocation to origin.ip
110110
- dynamic:
111111
plugin: com.utmstack.geolocation
112112
params:
113113
source: origin.ip
114114
destination: origin.geolocation
115-
where: has(origin.ip)
115+
where: exists(origin.ip)
116116

117117
# Adding geolocation to target.ip
118118
- dynamic:
119119
plugin: com.utmstack.geolocation
120120
params:
121121
source: target.ip
122122
destination: target.geolocation
123-
where: has(target.ip)
123+
where: exists(target.ip)
124124

125125
# Removing unused fields
126126
- delete:

filters/antivirus/kaspersky.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1092,15 +1092,15 @@ pipeline:
10921092
params:
10931093
source: origin.ip
10941094
destination: origin.geolocation
1095-
where: has(origin.ip)
1095+
where: exists(origin.ip)
10961096

10971097
# Adding geolocation to target.ip
10981098
- dynamic:
10991099
plugin: com.utmstack.geolocation
11001100
params:
11011101
source: target.ip
11021102
destination: target.geolocation
1103-
where: has(target.ip)
1103+
where: exists(target.ip)
11041104

11051105
# .......................................................................#
11061106
# Removing unused fields

filters/cisco/asa.yml

Lines changed: 20 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ pipeline:
5151
params:
5252
source: log.localIp
5353
destination: log.localIp.geolocation
54-
where: has(log.localIp)
54+
where: exists(log.localIp)
5555
# Removing unwanted prefixes
5656
- trim:
5757
function: prefix
@@ -314,14 +314,14 @@ pipeline:
314314
params:
315315
key: actionResult
316316
value: 'accepted'
317-
where: has(actionResult) (log.messageId==106102 || log.messageId==106103) && (actionResult == "Permitted" || actionResult == "permitted")
317+
where: exists(actionResult) (log.messageId==106102 || log.messageId==106103) && (actionResult == "Permitted" || actionResult == "permitted")
318318
# Adding action result
319319
- add:
320320
function: 'string'
321321
params:
322322
key: actionResult
323323
value: 'denied'
324-
where: has(actionResult) && (log.messageId==106102 || log.messageId==106103) && (actionResult != "Permitted" && actionResult != "permitted")
324+
where: exists(actionResult) && (log.messageId==106102 || log.messageId==106103) && (actionResult != "Permitted" && actionResult != "permitted")
325325
#......................................................................#
326326
# ASA-4-109017
327327
- grok:
@@ -5788,118 +5788,118 @@ pipeline:
57885788
params:
57895789
source: origin.ip
57905790
destination: origin.geolocation
5791-
where: has(origin.ip)
5791+
where: exists(origin.ip)
57925792
- dynamic:
57935793
plugin: com.utmstack.geolocation
57945794
params:
57955795
source: target.ip
57965796
destination: target.geolocation
5797-
where: has(target.ip)
5797+
where: exists(target.ip)
57985798
# Adding log.mappedIpFrom geolocation
57995799
- dynamic:
58005800
plugin: com.utmstack.geolocation
58015801
params:
58025802
source: log.mappedIpFrom
58035803
destination: log.mappedIpFrom.geolocation
5804-
where: has(log.mappedIpFrom)
5804+
where: exists(log.mappedIpFrom)
58055805
# Adding log.mappedIpTo geolocation
58065806
- dynamic:
58075807
plugin: com.utmstack.geolocation
58085808
params:
58095809
source: log.mappedIpTo
58105810
destination: log.mappedIpTo.geolocation
5811-
where: has(log.mappedIpTo)
5811+
where: exists(log.mappedIpTo)
58125812
# Adding log.translatedIpFrom geolocation
58135813
- dynamic:
58145814
plugin: com.utmstack.geolocation
58155815
params:
58165816
source: log.translatedIpFrom
58175817
destination: log.translatedIpFrom.geolocation
5818-
where: has(log.translatedIpFrom)
5818+
where: exists(log.translatedIpFrom)
58195819
# Adding log.translatedIpTo geolocation
58205820
- dynamic:
58215821
plugin: com.utmstack.geolocation
58225822
params:
58235823
source: log.translatedIpTo
58245824
destination: log.translatedIpTo.geolocation
5825-
where: has(log.translatedIpTo)
5825+
where: exists(log.translatedIpTo)
58265826
# Adding log.globalIp geolocation
58275827
- dynamic:
58285828
plugin: com.utmstack.geolocation
58295829
params:
58305830
source: log.globalIp
58315831
destination: log.globalIp.geolocation
5832-
where: has(log.globalIp)
5832+
where: exists(log.globalIp)
58335833
# Adding log.remoteIp geolocation
58345834
- dynamic:
58355835
plugin: com.utmstack.geolocation
58365836
params:
58375837
source: log.remoteIp
58385838
destination: log.remoteIp.geolocation
5839-
where: has(log.remoteIp)
5839+
where: exists(log.remoteIp)
58405840
# Adding log.mappedIp geolocation
58415841
- dynamic:
58425842
plugin: com.utmstack.geolocation
58435843
params:
58445844
source: log.mappedIp
58455845
destination: log.mappedIp.geolocation
5846-
where: has(log.mappedIp)
5846+
where: exists(log.mappedIp)
58475847
# Adding log.decapsulatedPktDestAddr geolocation
58485848
- dynamic:
58495849
plugin: com.utmstack.geolocation
58505850
params:
58515851
source: log.decapsulatedPktDestAddr
58525852
destination: log.decapsulatedPktDestAddr.geolocation
5853-
where: has(log.decapsulatedPktDestAddr)
5853+
where: exists(log.decapsulatedPktDestAddr)
58545854
# Adding log.decapsulatedPktSrcAddr geolocation
58555855
- dynamic:
58565856
plugin: com.utmstack.geolocation
58575857
params:
58585858
source: log.decapsulatedPktSrcAddr
58595859
destination: log.decapsulatedPktSrcAddr.geolocation
5860-
where: has(log.decapsulatedPktSrcAddr)
5860+
where: exists(log.decapsulatedPktSrcAddr)
58615861
# Adding log.localProxyIpAddr geolocation
58625862
- dynamic:
58635863
plugin: com.utmstack.geolocation
58645864
params:
58655865
source: log.localProxyIpAddr
58665866
destination: log.localProxyIpAddr.geolocation
5867-
where: has(log.localProxyIpAddr)
5867+
where: exists(log.localProxyIpAddr)
58685868
# Adding log.remoteProxyIpAddr geolocation
58695869
- dynamic:
58705870
plugin: com.utmstack.geolocation
58715871
params:
58725872
source: log.remoteProxyIpAddr
58735873
destination: log.remoteProxyIpAddr.geolocation
5874-
where: has(log.remoteProxyIpAddr)
5874+
where: exists(log.remoteProxyIpAddr)
58755875
# Adding log.primaryDns geolocation
58765876
- dynamic:
58775877
plugin: com.utmstack.geolocation
58785878
params:
58795879
source: log.primaryDns
58805880
destination: log.primaryDns.geolocation
5881-
where: has(log.primaryDns)
5881+
where: exists(log.primaryDns)
58825882
# Adding log.secondaryDns geolocation
58835883
- dynamic:
58845884
plugin: com.utmstack.geolocation
58855885
params:
58865886
source: log.secondaryDns
58875887
destination: log.secondaryDns.geolocation
5888-
where: has(log.secondaryDns)
5888+
where: exists(log.secondaryDns)
58895889
# Adding log.primaryWins geolocation
58905890
- dynamic:
58915891
plugin: com.utmstack.geolocation
58925892
params:
58935893
source: log.primaryWins
58945894
destination: log.primaryWins.geolocation
5895-
where: has(log.primaryWins)
5895+
where: exists(log.primaryWins)
58965896
# Adding log.secondaryWins geolocation
58975897
- dynamic:
58985898
plugin: com.utmstack.geolocation
58995899
params:
59005900
source: log.secondaryWins
59015901
destination: log.secondaryWins.geolocation
5902-
where: has(log.secondaryWins)
5902+
where: exists(log.secondaryWins)
59035903
#......................................................................#
59045904
# Common field conversions
59055905
- cast:

filters/cisco/firepower.yml

Lines changed: 20 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ pipeline:
5151
params:
5252
source: log.localIp
5353
destination: log.localIp.geolocation
54-
where: has(log.localIp)
54+
where: exists(log.localIp)
5555
# Removing unwanted prefixes
5656
- trim:
5757
function: prefix
@@ -312,14 +312,14 @@ pipeline:
312312
params:
313313
key: actionResult
314314
value: 'accepted'
315-
where: has(actionResult) && (log.messageId==106102 || log.messageId==106103) && (actionResult == "Permitted" || actionResult == "permitted")
315+
where: exists(actionResult) && (log.messageId==106102 || log.messageId==106103) && (actionResult == "Permitted" || actionResult == "permitted")
316316
# Adding action result
317317
- add:
318318
function: 'string'
319319
params:
320320
key: actionResult
321321
value: 'denied'
322-
where: has(actionResult) && (log.messageId==106102 || log.messageId==106103) && (actionResult != "Permitted" && actionResult != "permitted")
322+
where: exists(actionResult) && (log.messageId==106102 || log.messageId==106103) && (actionResult != "Permitted" && actionResult != "permitted")
323323
#......................................................................#
324324
# FTD-6-109101
325325
- grok:
@@ -5027,118 +5027,118 @@ pipeline:
50275027
params:
50285028
source: origin.ip
50295029
destination: origin.geolocation
5030-
where: has(origin.ip)
5030+
where: exists(origin.ip)
50315031
- dynamic:
50325032
plugin: com.utmstack.geolocation
50335033
params:
50345034
source: target.ip
50355035
destination: target.geolocation
5036-
where: has(target.ip)
5036+
where: exists(target.ip)
50375037
# Adding log.mappedIpFrom geolocation
50385038
- dynamic:
50395039
plugin: com.utmstack.geolocation
50405040
params:
50415041
source: log.mappedIpFrom
50425042
destination: log.mappedIpFrom.geolocation
5043-
where: has(log.mappedIpFrom)
5043+
where: exists(log.mappedIpFrom)
50445044
# Adding log.mappedIpTo geolocation
50455045
- dynamic:
50465046
plugin: com.utmstack.geolocation
50475047
params:
50485048
source: log.mappedIpTo
50495049
destination: log.mappedIpTo.geolocation
5050-
where: has(log.mappedIpTo)
5050+
where: exists(log.mappedIpTo)
50515051
# Adding log.translatedIpFrom geolocation
50525052
- dynamic:
50535053
plugin: com.utmstack.geolocation
50545054
params:
50555055
source: log.translatedIpFrom
50565056
destination: log.translatedIpFrom.geolocation
5057-
where: has(log.translatedIpFrom)
5057+
where: exists(log.translatedIpFrom)
50585058
# Adding log.translatedIpTo geolocation
50595059
- dynamic:
50605060
plugin: com.utmstack.geolocation
50615061
params:
50625062
source: log.translatedIpTo
50635063
destination: log.translatedIpTo.geolocation
5064-
where: has(log.translatedIpTo)
5064+
where: exists(log.translatedIpTo)
50655065
# Adding log.globalIp geolocation
50665066
- dynamic:
50675067
plugin: com.utmstack.geolocation
50685068
params:
50695069
source: log.globalIp
50705070
destination: log.globalIp.geolocation
5071-
where: has(log.globalIp)
5071+
where: exists(log.globalIp)
50725072
# Adding log.remoteIp geolocation
50735073
- dynamic:
50745074
plugin: com.utmstack.geolocation
50755075
params:
50765076
source: log.remoteIp
50775077
destination: log.remoteIp.geolocation
5078-
where: has(log.remoteIp)
5078+
where: exists(log.remoteIp)
50795079
# Adding log.mappedIp geolocation
50805080
- dynamic:
50815081
plugin: com.utmstack.geolocation
50825082
params:
50835083
source: log.mappedIp
50845084
destination: log.mappedIp.geolocation
5085-
where: has(log.mappedIp)
5085+
where: exists(log.mappedIp)
50865086
# Adding log.decapsulatedPktDestAddr geolocation
50875087
- dynamic:
50885088
plugin: com.utmstack.geolocation
50895089
params:
50905090
source: log.decapsulatedPktDestAddr
50915091
destination: log.decapsulatedPktDestAddr.geolocation
5092-
where: has(log.decapsulatedPktDestAddr)
5092+
where: exists(log.decapsulatedPktDestAddr)
50935093
# Adding log.decapsulatedPktSrcAddr geolocation
50945094
- dynamic:
50955095
plugin: com.utmstack.geolocation
50965096
params:
50975097
source: log.decapsulatedPktSrcAddr
50985098
destination: log.decapsulatedPktSrcAddr.geolocation
5099-
where: has(log.decapsulatedPktSrcAddr)
5099+
where: exists(log.decapsulatedPktSrcAddr)
51005100
# Adding log.localProxyIpAddr geolocation
51015101
- dynamic:
51025102
plugin: com.utmstack.geolocation
51035103
params:
51045104
source: log.localProxyIpAddr
51055105
destination: log.localProxyIpAddr.geolocation
5106-
where: has(log.localProxyIpAddr)
5106+
where: exists(log.localProxyIpAddr)
51075107
# Adding log.remoteProxyIpAddr geolocation
51085108
- dynamic:
51095109
plugin: com.utmstack.geolocation
51105110
params:
51115111
source: log.remoteProxyIpAddr
51125112
destination: log.remoteProxyIpAddr.geolocation
5113-
where: has(log.remoteProxyIpAddr)
5113+
where: exists(log.remoteProxyIpAddr)
51145114
# Adding log.primaryDns geolocation
51155115
- dynamic:
51165116
plugin: com.utmstack.geolocation
51175117
params:
51185118
source: log.primaryDns
51195119
destination: log.primaryDns.geolocation
5120-
where: has(log.primaryDns)
5120+
where: exists(log.primaryDns)
51215121
# Adding log.secondaryDns geolocation
51225122
- dynamic:
51235123
plugin: com.utmstack.geolocation
51245124
params:
51255125
source: log.secondaryDns
51265126
destination: log.secondaryDns.geolocation
5127-
where: has(log.secondaryDns)
5127+
where: exists(log.secondaryDns)
51285128
# Adding log.primaryWins geolocation
51295129
- dynamic:
51305130
plugin: com.utmstack.geolocation
51315131
params:
51325132
source: log.primaryWins
51335133
destination: log.primaryWins.geolocation
5134-
where: has(log.primaryWins)
5134+
where: exists(log.primaryWins)
51355135
# Adding log.secondaryWins geolocation
51365136
- dynamic:
51375137
plugin: com.utmstack.geolocation
51385138
params:
51395139
source: log.secondaryWins
51405140
destination: log.secondaryWins.geolocation
5141-
where: has(log.secondaryWins)
5141+
where: exists(log.secondaryWins)
51425142
#......................................................................#
51435143
# Common field conversions
51445144
- cast:

0 commit comments

Comments
 (0)