Move email to ECS field

elastic · Oct 7, 2021 · 6033972 · 6033972
1 parent 32fae9e
commit 6033972
Show file tree

Hide file tree

Showing 5 changed files with 139 additions and 67 deletions.
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -151003,16 +151003,6 @@ type: boolean
 
 --
 
-*`threatintel.misp.event_creator_email`*::
-+
---
-The email of the creator of the event.
-
-
-type: keyword
-
---
-
 *`threatintel.misp.attribute.id`*::
 +
 --

diff --git a/x-pack/filebeat/module/threatintel/fields.go b/x-pack/filebeat/module/threatintel/fields.go
diff --git a/x-pack/filebeat/module/threatintel/misp/_meta/fields.yml b/x-pack/filebeat/module/threatintel/misp/_meta/fields.yml
@@ -103,10 +103,6 @@
  type: boolean
  description: >
  If the Organization Community was local or synced from a remote source.
- - name: event_creator_email
- type: keyword
- description: >
- The email of the creator of the event.
  - name: attribute.id
  type: keyword
  description: >

diff --git a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml
@@ -247,6 +247,14 @@ processors:
  target_field: threatintel.indicator.email.address
  ignore_missing: true
  if: ctx?.threatintel?.indicator?.type == 'email-addr'
+ - rename:
+ field: threatintel.misp.event_creator_email
+ target_field: user.email
+ ignore_missing: true
+ - append:
+ field: user.roles
+ value: "reporting_user"
+ if: ctx?.user?.email != null
 
  ## MAC Address indicator operations
  - set: