CN 24.04 单机版本增加对server_domain的处理

2024-06-21 16:00:27 +08:00
parent dfa105063b
commit 09276d6f71
2 changed files with 12 additions and 0 deletions
--- a/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/etl_session_record_kafka_to_cn_kafka
+++ b/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/etl_session_record_kafka_to_cn_kafka
@@ -43,6 +43,17 @@ processing_pipelines:
        parameters:
          value_expression: "recv_time == null ? kafka_recv_time : recv_time"

+      - function: DOMAIN
+        lookup_fields: [ http_host, ssl_sni, dtls_sni, quic_sni ]
+        output_fields: [ cn_server_domain ]
+        parameters:
+          option: FIRST_SIGNIFICANT_SUBDOMAIN
+
+      - function: EVAL
+        output_fields: [ server_domain ]
+        parameters:
+          value_expression: "server_domain == null ? cn_server_domain : server_domain"
+
      - function: EVAL
        output_fields: [ domain ]
        parameters:
--- a/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/udf.plugins
+++ b/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/udf.plugins
@@ -19,3 +19,4 @@ com.geedgenetworks.core.udf.cn.ArrayElementsPrepend
 com.geedgenetworks.core.udf.cn.IntelligenceIndicatorLookup
 com.geedgenetworks.core.udf.SnowflakeId
 com.geedgenetworks.core.udf.UnixTimestampConverter
+com.geedgenetworks.core.udf.Domain