I'm trying to enhance the filebeat-7.9.3-azure-activitylogs-pipeline to parse the information about vulnerability scans (Azure Security Center / Qualys) into ECS.
I'm stuck with the problem that some of the fields have a $-character in their name.
The error is
[script_exception] compile error, with { script_stack={ 0="... itionalData?.Cvss?.2?.0?.$type == 'additionalData/ ..." & 1=" ^---- HERE" } & script="ctx.azure.activitylogs.Type == 'Microsoft.Security/assessments/subAssessments' && ctx.azure.activitylogs.Properties?.AdditionalData?.AssessedResourceType == 'ServerVulnerability' && ctx.azure.activitylogs.Properties?.AdditionalData?.Cvss?.2?.0?.$type == 'additionalData/cvss'" & lang="painless" & position={ offset=245 & start=220 & end=270 } }
My processor is as follows, if I remove the $ sign (i.e. rename $type to type), the error goes away.
"set": {
"if": "ctx.azure.activitylogs.Type == 'Microsoft.Security/assessments/subAssessments' && ctx.azure.activitylogs.Properties?.AdditionalData?.AssessedResourceType == 'ServerVulnerability' && ( ctx.azure.activitylogs.Properties?.AdditionalData?.Cvss?.2?.0?.$type == 'additionalData/cvss' || azure.activitylogs.Properties?.AdditionalData?.Cvss?.3?.0?.$type == 'additionalData/cvss')",
"field": "vulnerability.classification",
"value": "cvss"
}
Does anybody have an idea how I can avoid this? Escaping the $ with backslashes didn't help. 