queue_url: {{queue_url}} {{#if credential_profile_name}} credential_profile_name: {{credential_profile_name}} {{/if}} {{#if shared_credential_file}} shared_credential_file: {{shared_credential_file}} {{/if}} {{#if visibility_timeout}} visibility_timeout: {{visibility_timeout}} {{/if}} {{#if api_timeout}} api_timeout: {{api_timeout}} {{/if}} {{#if max_number_of_messages}} max_number_of_messages: {{max_number_of_messages}} {{/if}} {{#if number_of_workers}} number_of_workers: {{number_of_workers}} {{/if}} {{#if endpoint}} endpoint: {{endpoint}} {{/if}} {{#if default_region}} default_region: {{default_region}} {{/if}} {{#if access_key_id}} access_key_id: {{access_key_id}} {{/if}} {{#if secret_access_key}} secret_access_key: {{secret_access_key}} {{/if}} {{#if session_token}} session_token: {{session_token}} {{/if}} {{#if role_arn}} role_arn: {{role_arn}} {{/if}} {{#if fips_enabled}} fips_enabled: {{fips_enabled}} {{/if}} {{#if proxy_url }} proxy_url: {{proxy_url}} {{/if}} {{#if is_fdr_queue}} sqs.notification_parsing_script.source: {{escape_string fdr_parsing_script}} {{/if}} {{#if tags.length}} tags: {{else}} {{#if preserve_original_event}} tags: {{/if}} {{/if}} {{#if preserve_original_event}} - preserve_original_event {{/if}} {{#each tags as |tag|}} - {{tag}} {{/each}} {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} fields_under_root: true fields: _conf: long_fields: {{long_fields}} long_fields_max_length: {{long_fields_max_length}} enable_deduplication: {{enable_deduplication}} prune_fields: {{prune_fields}} processors: - add_locale: ~ {{#if enrich_metadata}} - decode_json_fields: fields: message target: crowdstrike - if: contains: log.file.path: aidmaster then: - cache: backend: capacity: {{metadata_cache_capacity}} file: id: aidmaster write_interval: {{metadata_cache_write_interval}} put: ttl: {{metadata_ttl}} key_field: crowdstrike.aid value_field: crowdstrike ignore_missing: true {{#unless keep_metadata}} - drop_event: when: contains: log.file.path: aidmaster {{/unless}} else: - if: contains: log.file.path: userinfo then: - cache: backend: capacity: {{metadata_cache_capacity}} file: id: userinfo write_interval: {{metadata_cache_write_interval}} put: ttl: {{metadata_ttl}} key_field: crowdstrike.UserSid_readable value_field: crowdstrike ignore_missing: true {{#unless keep_metadata}} - drop_event: when: contains: log.file.path: userinfo {{/unless}} else: - cache: backend: file: id: aidmaster get: key_field: crowdstrike.aid target_field: metadata.host ignore_missing: true - cache: backend: file: id: userinfo get: key_field: crowdstrike.UserSid target_field: metadata.user ignore_missing: true - drop_fields: fields: - crowdstrike {{/if}} {{#if processors}} {{processors}} {{/if}}