Kismet integration: TODO Elasticsearch mappings

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
2025-12-06 17:22:49 +01:00 · 2024-03-29 13:56:01 -04:00
parent cc2164221c
commit 000d15a53c
15 changed files with 483 additions and 0 deletions
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -10491,6 +10491,49 @@ elasticsearch:
              set_priority:
                priority: 50
            min_age: 30d
+    so-kismet:
+      index_sorting: false
+      index_template:
+        composed_of:
+        - kismet-mappings
+        - so-fleet_globals-1
+        - so-fleet_agent_id_verification-1
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
+        index_patterns:
+        - logs-kismet-so*
+        priority: 501
+        template:
+          settings:
+            index:
+              lifecycle:
+                name: so-kismet-logs
+              number_of_replicas: 0
+      policy:
+        phases:
+          cold:
+            actions:
+              set_priority:
+                priority: 0
+            min_age: 30d
+          delete:
+            actions:
+              delete: {}
+            min_age: 365d
+          hot:
+            actions:
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+              set_priority:
+                priority: 100
+            min_age: 0ms
+          warm:
+            actions:
+              set_priority:
+                priority: 50
+            min_age: 30d
    so-logstash:
      index_sorting: false
      index_template:
--- a/salt/elasticsearch/files/ingest/kismet.ad_hoc
+++ b/salt/elasticsearch/files/ingest/kismet.ad_hoc
@@ -0,0 +1,10 @@
+{
+  "processors": [
+    {
+      "rename": {
+        "field": "message2.kismet_device_base_macaddr",
+        "target_field": "wireless.bssid"
+      }
+    }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/kismet.ap
+++ b/salt/elasticsearch/files/ingest/kismet.ap
@@ -0,0 +1,50 @@
+{
+  "processors": [
+    {
+      "rename": {
+        "field": "message2.dot11_device.dot11_device_last_beaconed_ssid_record.dot11_advertisedssid_cloaked",
+        "target_field": "wireless.ssid_cloaked",
+        "if": "ctx?.message2?.dot11_device?.dot11_device_last_beaconed_ssid_record?.dot11_advertisedssid_cloaked != null"
+      }
+    },
+    {
+      "rename": {
+        "field": "message2.dot11_device.dot11_device_last_beaconed_ssid_record.dot11_advertisedssid_ssid",
+        "target_field": "wireless.ssid",
+        "if": "ctx?.message2?.dot11_device?.dot11_device_last_beaconed_ssid_record?.dot11_advertisedssid_ssid != null"
+      }
+    },
+    {
+      "set": {
+        "field": "wireless.ssid",
+        "value": "Hidden",
+        "if": "ctx?.wireless?.ssid_cloaked != null && ctx?.wireless?.ssid_cloaked == 1"
+      }
+    },
+    {
+      "rename": {
+        "field": "message2.dot11_device.dot11_device_last_beaconed_ssid_record.dot11_advertisedssid_dot11e_channel_utilization_perc",
+        "target_field": "wireless.channel_utilization",
+        "if": "ctx?.message2?.dot11_device?.dot11_device_last_beaconed_ssid_record?.dot11_advertisedssid_dot11e_channel_utilization_perc != null"
+      }
+    },
+    {
+      "rename": {
+        "field": "message2.dot11_device.dot11_device_last_bssid",
+        "target_field": "wireless.bssid"
+      }
+    },
+    {
+      "foreach": {
+        "field": "message2.dot11_device.dot11_device_associated_client_map",
+        "processor": {
+          "append": {
+            "field": "wireless.associated_clients",
+            "value": "{{_ingest._key}}"
+          }
+        },
+        "if": "ctx?.message2?.dot11_device?.dot11_device_associated_client_map != null"
+      }
+    }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/kismet.bridged
+++ b/salt/elasticsearch/files/ingest/kismet.bridged
@@ -0,0 +1,16 @@
+{
+  "processors": [
+    {
+      "rename": {
+        "field": "message2.kismet_device_base_macaddr",
+        "target_field": "client.mac"
+      }
+    },
+    {
+      "rename": {
+        "field": "message2.dot11_device.dot11_device_last_bssid",
+        "target_field": "wireless.bssid"
+      }
+    }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/kismet.client
+++ b/salt/elasticsearch/files/ingest/kismet.client
@@ -0,0 +1,29 @@
+{
+  "processors": [
+    {
+      "rename": {
+        "field": "message2.kismet_device_base_macaddr",
+        "target_field": "client.mac"
+      }
+    },
+    {
+      "rename": {
+        "field": "message2.dot11_device.dot11_device_last_bssid",
+        "target_field": "wireless.last_connected_bssid",
+        "if": "ctx?.message2?.dot11_device?.dot11_device_last_bssid != null"
+      }
+    },
+    {
+      "foreach": {
+        "field": "message2.dot11_device.dot11_device_client_map",
+        "processor": {
+          "append": {
+            "field": "wireless.known_connected_bssid",
+            "value": "{{_ingest._key}}"
+          }
+        },
+        "if": "ctx?.message2?.dot11_device?.dot11_device_client_map != null"
+      }
+    }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/kismet.common
+++ b/salt/elasticsearch/files/ingest/kismet.common
@@ -0,0 +1,158 @@
+{
+  "processors": [
+    {
+      "json": {
+        "field": "message",
+        "target_field": "message2"
+      }
+    },
+    {
+      "date": {
+        "field": "message2.kismet_device_base_mod_time",
+        "formats": [
+          "epoch_second"
+        ],
+        "target_field": "@timestamp"
+      }
+    },
+    {
+      "set": {
+        "field": "event.category",
+        "value": "network"
+      }
+    },
+    {
+      "dissect": {
+        "field": "message2.kismet_device_base_type",
+        "pattern": "%{wifi} %{device_type}"
+      }
+    },
+    {
+      "lowercase": {
+        "field": "device_type"
+      }
+    },
+    {
+      "set": {
+        "field": "event.dataset",
+        "value": "kismet.{{device_type}}"
+      }
+    },
+    {
+      "set": {
+        "field": "event.dataset",
+        "value": "kismet.wds_ap",
+        "if": "ctx?.device_type == 'wds ap'"
+      }
+    },
+    {
+      "set": {
+        "field": "event.dataset",
+        "value": "kismet.ad_hoc",
+        "if": "ctx?.device_type == 'ad-hoc'"
+      }
+    },
+    {
+      "set": {
+        "field": "event.module",
+        "value": "kismet"
+      }
+    },
+    {
+      "rename": {
+        "field": "message2.kismet_device_base_packets_tx_total",
+        "target_field": "source.packets"
+      }
+    },
+    {
+      "rename": {
+        "field": "message2.kismet_device_base_num_alerts",
+        "target_field": "kismet.alerts.count"
+      }
+    },
+    {
+      "rename": {
+        "field": "message2.kismet_device_base_channel",
+        "target_field": "wireless.channel",
+        "if": "ctx?.message2?.kismet_device_base_channel != ''"
+      }
+    },
+    {
+      "rename": {
+        "field": "message2.kismet_device_base_frequency",
+        "target_field": "wireless.frequency",
+        "if": "ctx?.message2?.kismet_device_base_frequency != 0"
+      }
+    },
+    {
+      "rename": {
+        "field": "message2.kismet_device_base_last_time",
+        "target_field": "kismet.last_seen"
+      }
+    },
+    {
+      "date": {
+        "field": "kismet.last_seen",
+        "formats": [
+          "epoch_second"
+        ],
+        "target_field": "kismet.last_seen"
+      }
+    },
+    {
+      "rename": {
+        "field": "message2.kismet_device_base_first_time",
+        "target_field": "kismet.first_seen"
+      }
+    },
+    {
+      "date": {
+        "field": "kismet.first_seen",
+        "formats": [
+          "epoch_second"
+        ],
+        "target_field": "kismet.first_seen"
+      }
+    },
+    {
+      "rename": {
+        "field": "message2.kismet_device_base_seenby",
+        "target_field": "kismet.seenby"
+      }
+    },
+    {
+      "foreach": {
+        "field": "kismet.seenby",
+        "processor": {
+          "pipeline": {
+            "name": "kismet.seenby"
+          }
+        }
+      }
+    },
+    {
+      "rename": {
+        "field": "message2.kismet_device_base_manuf",
+        "target_field": "device.manufacturer"
+      }
+    },
+    {
+      "pipeline": {
+        "name": "{{event.dataset}}"
+      }
+    },
+    {
+      "remove": {
+        "field": [
+          "message2",
+          "message",
+          "device_type",
+          "wifi",
+          "agent",
+          "host"
+        ],
+        "ignore_failure": true
+      }
+    }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/kismet.device
+++ b/salt/elasticsearch/files/ingest/kismet.device
@@ -0,0 +1,9 @@
+{
+  "processors": [
+    {
+      "pipeline": {
+        "name": "kismet.client"
+      }
+    }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/kismet.seenby
+++ b/salt/elasticsearch/files/ingest/kismet.seenby
@@ -0,0 +1,52 @@
+{
+  "processors": [
+    {
+      "rename": {
+        "field": "_ingest._value.kismet_common_seenby_num_packets",
+        "target_field": "_ingest._value.packets_seen",
+        "ignore_missing": true
+      }
+    },
+    {
+      "rename": {
+        "field": "_ingest._value.kismet_common_seenby_uuid",
+        "target_field": "_ingest._value.serial_number",
+        "ignore_missing": true
+      }
+    },
+    {
+      "rename": {
+        "field": "_ingest._value.kismet_common_seenby_first_time",
+        "target_field": "_ingest._value.first_seen",
+        "ignore_missing": true
+      }
+    },
+    {
+      "rename": {
+        "field": "_ingest._value.kismet_common_seenby_last_time",
+        "target_field": "_ingest._value.last_seen",
+        "ignore_missing": true
+      }
+    },
+    {
+      "date": {
+        "field": "_ingest._value.first_seen",
+        "formats": [
+          "epoch_second"
+        ],
+        "target_field": "_ingest._value.first_seen",
+        "ignore_failure": true
+      }
+    },
+    {
+      "date": {
+        "field": "_ingest._value.last_seen",
+        "formats": [
+          "epoch_second"
+        ],
+        "target_field": "_ingest._value.last_seen",
+        "ignore_failure": true
+      }
+    }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/kismet.wds
+++ b/salt/elasticsearch/files/ingest/kismet.wds
@@ -0,0 +1,10 @@
+{
+  "processors": [
+    {
+      "rename": {
+        "field": "message2.kismet_device_base_macaddr",
+        "target_field": "client.mac"
+      }
+    }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/kismet.wds_ap
+++ b/salt/elasticsearch/files/ingest/kismet.wds_ap
@@ -0,0 +1,22 @@
+{
+  "processors": [
+    {
+      "rename": {
+        "field": "message2.kismet_device_base_commonname",
+        "target_field": "wireless.bssid"
+      }
+    },
+    {
+      "foreach": {
+        "field": "message2.dot11_device.dot11_device_associated_client_map",
+        "processor": {
+          "append": {
+            "field": "wireless.associated_clients",
+            "value": "{{_ingest._key}}"
+          }
+        },
+        "if": "ctx?.message2?.dot11_device?.dot11_device_associated_client_map != null"
+      }
+    }
+  ]
+}
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -511,6 +511,7 @@ elasticsearch:
    so-suricata: *indexSettings
    so-import: *indexSettings
    so-kratos: *indexSettings
+    so-kismet: *indexSettings
    so-logstash: *indexSettings
    so-redis: *indexSettings
    so-strelka: *indexSettings
--- a/salt/elasticsearch/templates/component/ecs/kismet.json
+++ b/salt/elasticsearch/templates/component/ecs/kismet.json
@@ -0,0 +1,16 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+    "ecs_version": "1.12.2"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "kismet_mapping_placeholder": {
+          "type": "keyword",
+          "ignore_above": 1024
+        }
+      }
+    }
+  }
+}