Assuming you have the above working this is how we will call your enrich pipeline
We will follow the new framework here It refers to elastic agent but works with the data streams we created.
Your Existing enrich pipeline
PUT _ingest/pipeline/mitre_attack_pipeline
{
"description": "Pipeline to enrich MITRE ATT&CK fields",
"processors": [
{
"set": {
"field": "pipeline_name",
"value": "mitre_attack_pipeline"
}
},
{
"enrich": {
"policy_name": "mitre_tactic_policy",
"field": "attack_tactic",
"target_field": "attack_tactic_description",
"ignore_missing": true
}
},
{
"enrich": {
"policy_name": "mitre_technique_policy",
"field": "attack_technique",
"target_field": "attack_technique_description",
"ignore_missing": true
}
}
]
}
and now this...
this pipeline will use the data stream framework to call your pipeline for the correct data streams. I tested it without your enrich policies because I do not have them but verified the above pipeline is called and added the pipeline_name to the document so I know it is running.
PUT _ingest/pipeline/logs@custom
{
"processors": [
{
"pipeline": {
"name": "mitre_attack_pipeline",
"if": "ctx?.data_stream.dataset != null && (ctx?.data_stream.dataset == 'carbon_black.observations' || ctx?.data_stream.dataset == 'carbon_black.vulnerabilities')"
}
}
]
}
Get this working then we may need to validate your enrich processors etc.