osquery ingest - initial support

2025-12-06 09:12:45 +01:00 · 2020-04-01 10:17:36 -04:00
parent 2bfacecb4b
commit 0e76447d11
5 changed files with 37 additions and 6 deletions
--- a/salt/elasticsearch/files/ingest/osquery.query_result
+++ b/salt/elasticsearch/files/ingest/osquery.query_result
@@ -0,0 +1,26 @@
+{
+  "description" : "osquery",
+  "processors" : [
+    { "json":        { "field": "message",                            "target_field": "message2",             "ignore_failure": true  } },
+    {
+      "script": {
+        "lang": "painless",
+        "source": "def dict = ['result': new HashMap()]; for (entry in ctx['message2'].entrySet()) { dict['result'][entry.getKey()] = entry.getValue(); } ctx['osquery'] = dict; "
+      }
+    },
+    { "rename":      { "field": "osquery.result.hostIdentifier",      "target_field": "osquery.result.host_identifier",              "ignore_missing": true  } },
+    { "rename":      { "field": "osquery.result.calendarTime",        "target_field": "osquery.result.calendar_time",              "ignore_missing": true  } },
+    { "rename":      { "field": "osquery.result.unixTime",            "target_field": "osquery.result.unix_time",                "ignore_missing": true  } },    
+    { "json":        { "field": "message",                            "target_field": "message3",             "ignore_failure": true  } },
+    { "rename":      { "field": "message3.columns.username",          "target_field": "user.name",              "ignore_missing": true  } },
+    { "rename":      { "field": "message3.columns.uid",               "target_field": "user.uid",              "ignore_missing": true  } },
+    { "rename":      { "field": "message3.columns.gid",               "target_field": "user.gid",              "ignore_missing": true  } },
+    { "rename":      { "field": "message3.columns.shell",             "target_field": "user.shell",              "ignore_missing": true  } },
+    { "rename":      { "field": "message3.columns.cmdline",           "target_field": "process.command_line",              "ignore_missing": true  } },
+    { "rename":      { "field": "message3.columns.pid",               "target_field": "process.pid",              "ignore_missing": true  } },
+    { "rename":      { "field": "message3.columns.parent",            "target_field": "process.ppid",              "ignore_missing": true  } },
+    { "rename":      { "field": "message3.columns.cwd",               "target_field": "process.working_directory",              "ignore_missing": true  } },
+    { "remove":      { "field": [ "message3"],                        "ignore_failure": false } },
+    { "pipeline":    { "name": "common" } }
+  ]
+}
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -146,7 +146,9 @@ filebeat.inputs:
    paths:
      - /nsm/osquery/fleet/result.log
    fields:
-      type: osquery
+      module: osquery
+      dataset: query_result
+      category: host

    processors:
    - drop_fields:
@@ -192,6 +194,9 @@ output.elasticsearch:
    - index: "so-ossec-%{+yyyy.MM.dd}"
      when.contains:
        module: "ossec"
+    - index: "so-osquery-%{+yyyy.MM.dd}"
+      when.contains:
+        module: "osquery"

 #output.logstash:
  # Boolean flag to enable or disable the output module.
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -59,7 +59,7 @@ so-filebeat:
      - /opt/so/log/suricata:/suricata:ro
      - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro
      - /opt/so/wazuh/logs/archives:/wazuh/archives:ro
-      - /nsm/osquery/fleet/:/osquery/logs:ro
+      - /nsm/osquery/fleet/:/nsm/osquery/fleet:ro
      - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
      - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
      - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
--- a/salt/fleet/files/packs/hh/osquery.conf
+++ b/salt/fleet/files/packs/hh/osquery.conf
@@ -5,11 +5,11 @@ spec:
    decorators:
      always:
      - SELECT codename FROM os_version;
-      - SELECT uuid AS LiveQuery FROM system_info;
-      - SELECT address AS EndpointIP1 FROM interface_addresses where address not
+      - SELECT uuid AS live_query FROM system_info;
+      - SELECT address AS endpoint_ip1 FROM interface_addresses where address not
        like '%:%' and address not like '127%' and address not like '169%' order by
        interface desc limit 1;
-      - SELECT address AS EndpointIP2 FROM interface_addresses where address not
+      - SELECT address AS endpoint_ip2 FROM interface_addresses where address not
        like '%:%' and address not like '127%' and address not like '169%' order by
        interface asc limit 1;
      - SELECT hardware_serial FROM system_info;
--- a/salt/logstash/pipelines/templates/so/so-common-template.json
+++ b/salt/logstash/pipelines/templates/so/so-common-template.json
@@ -1,5 +1,5 @@
 {
-  "index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*"],
+  "index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*"],
  "version":50001,
  "order" : 10,
  "settings":{