Created
June 22, 2025 12:42
-
-
Save iamhowardtheduck/53e92a9dabc88e8e73525104eadd5d3e to your computer and use it in GitHub Desktop.
logs-ti_tor.node_activity Elastic-Agent Processors
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - decode_json_fields: | |
| fields: ["message"] | |
| target: "" | |
| overwrite_keys: true | |
| - rename: | |
| fields: | |
| - from: "advertised_bandwidth" | |
| to: "tor.bandwidth.advertised" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "bandwidth_burst" | |
| to: "tor.bandwidth.burst" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "bandwidth_rate" | |
| to: "tor.bandwidth.rate" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "observed_bandwidth" | |
| to: "tor.bandwidth.observed" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "as" | |
| to: "tor.as.number" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "as_name" | |
| to: "tor.as.organization.name" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "consensus_weight" | |
| to: "tor.consensus.weight" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "consensus_weight_fraction" | |
| to: "tor.consensus.weight_fraction" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "contact" | |
| to: "tor.contact.original" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "alleged_family" | |
| to: "tor.family.alleged" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "effective_family" | |
| to: "tor.family.effective" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "exit_addresses" | |
| to: "tor.exit.ip" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "exit_policy" | |
| to: "tor.exit_policy" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "exit_policy_summary.accept" | |
| to: "tor.exit.policy.ipv4.accept" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "exit_policy_summary.reject" | |
| to: "tor.exit.policy.ipv4.reject" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "exit_policy_v6_summary.accept" | |
| to: "tor.exit.policy.ipv6.accept" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "exit_policy_v6_summary.reject" | |
| to: "tor.exit.policy.ipv6.reject" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "exit_probability" | |
| to: "tor.exit.probability" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "fingerprint" | |
| to: "tor.fingerprint" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "first_seen" | |
| to: "tor.first_seen" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "flags" | |
| to: "tor.description" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "guard_probability" | |
| to: "tor.guard.probability" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "indirect_family" | |
| to: "tor.family.indirect" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "last_changed_address_or_port" | |
| to: "tor.last_changed" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "last_restarted" | |
| to: "tor.last_restarted" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "last_seen" | |
| to: "tor.last_seen" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "measured" | |
| to: "tor.measured" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "middle_probability" | |
| to: "tor.middle.probability" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "nickname" | |
| to: "tor.name" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "or_addresses" | |
| to: "tor.routing.addresses" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "overload_general_timestamp" | |
| to: "tor.overload" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "platform" | |
| to: "tor.platform" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "recommended_version" | |
| to: "tor.recommended_version" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "running" | |
| to: "tor.running" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "unverified_host_names" | |
| to: "tor.hostname.unverified" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "verified_host_names" | |
| to: "tor.hostname.verified" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "version" | |
| to: "tor.version" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "version_status" | |
| to: "tor.version_status" | |
| ignore_missing: true | |
| - add_fields: | |
| target: event | |
| fields: | |
| module: "ti_tor" | |
| category: "threat" | |
| type: "indicator" | |
| kind: "enrichment" | |
| dataset: "node_activity" | |
| - copy_fields: | |
| fields: | |
| - from: "tor.exit.ip" | |
| to: "threat.indicator.ip" | |
| fail_on_error: false | |
| ignore_missing: true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment