1onsuccess: next_stage
2format: 3.0
3
4filter: "evt.Parsed.program == 'appsec'"
5name: crowdsecurity/appsec-logs
6description: "Parse Appsec events"
7statics:
8 - meta: service
9 value: appsec
10 - meta: source_ip
11 expression: "evt.Parsed.source_ip"
12 - meta: target_host
13 expression: "evt.Parsed.target_host"
14 - meta: request_uuid
15 expression: "evt.Parsed.req_uuid"
16 - meta: target_uri
17 expression: "evt.Parsed.target_uri"
18
19 - meta: log_type
20 expression: |
21 evt.Appsec.HasInBandMatches ? "appsec-block" : "appsec-info"
22 - meta: rule_name
23 expression: evt.Appsec.GetName()
24 - meta: rule_ids
25 expression: Sprintf("%+v", evt.Appsec.GetRuleIDs())
26 - meta: remediation_cmpt_ip
27 expression: "evt.Parsed.remediation_cmpt_ip"
28