From 09276d6f71a8c0f454cb9a5fbba4e2ac9ec31c0c Mon Sep 17 00:00:00 2001 From: gujinkai Date: Fri, 21 Jun 2024 16:00:27 +0800 Subject: [PATCH] =?UTF-8?q?CN=2024.04=20=E5=8D=95=E6=9C=BA=E7=89=88?= =?UTF-8?q?=E6=9C=AC=E5=A2=9E=E5=8A=A0=E5=AF=B9server=5Fdomain=E7=9A=84?= =?UTF-8?q?=E5=A4=84=E7=90=86?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../groot_stream/etl_session_record_kafka_to_cn_kafka | 11 +++++++++++ .../upgrade/2024/CN-24.04/groot_stream/udf.plugins | 1 + 2 files changed, 12 insertions(+) diff --git a/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/etl_session_record_kafka_to_cn_kafka b/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/etl_session_record_kafka_to_cn_kafka index 82b4855..96477e4 100644 --- a/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/etl_session_record_kafka_to_cn_kafka +++ b/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/etl_session_record_kafka_to_cn_kafka @@ -43,6 +43,17 @@ processing_pipelines: parameters: value_expression: "recv_time == null ? kafka_recv_time : recv_time" + - function: DOMAIN + lookup_fields: [ http_host, ssl_sni, dtls_sni, quic_sni ] + output_fields: [ cn_server_domain ] + parameters: + option: FIRST_SIGNIFICANT_SUBDOMAIN + + - function: EVAL + output_fields: [ server_domain ] + parameters: + value_expression: "server_domain == null ? cn_server_domain : server_domain" + - function: EVAL output_fields: [ domain ] parameters: diff --git a/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/udf.plugins b/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/udf.plugins index eb9fd57..d482afb 100644 --- a/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/udf.plugins +++ b/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/udf.plugins @@ -19,3 +19,4 @@ com.geedgenetworks.core.udf.cn.ArrayElementsPrepend com.geedgenetworks.core.udf.cn.IntelligenceIndicatorLookup com.geedgenetworks.core.udf.SnowflakeId com.geedgenetworks.core.udf.UnixTimestampConverter +com.geedgenetworks.core.udf.Domain