From 0e76447d11c99f1aca132a74a3d21be48980064d Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 1 Apr 2020 10:17:36 -0400 Subject: [PATCH] osquery ingest - initial support --- .../files/ingest/osquery.query_result | 26 +++++++++++++++++++ salt/filebeat/etc/filebeat.yml | 7 ++++- salt/filebeat/init.sls | 2 +- salt/fleet/files/packs/hh/osquery.conf | 6 ++--- .../templates/so/so-common-template.json | 2 +- 5 files changed, 37 insertions(+), 6 deletions(-) create mode 100644 salt/elasticsearch/files/ingest/osquery.query_result diff --git a/salt/elasticsearch/files/ingest/osquery.query_result b/salt/elasticsearch/files/ingest/osquery.query_result new file mode 100644 index 000000000..bdd73a573 --- /dev/null +++ b/salt/elasticsearch/files/ingest/osquery.query_result @@ -0,0 +1,26 @@ +{ + "description" : "osquery", + "processors" : [ + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { + "script": { + "lang": "painless", + "source": "def dict = ['result': new HashMap()]; for (entry in ctx['message2'].entrySet()) { dict['result'][entry.getKey()] = entry.getValue(); } ctx['osquery'] = dict; " + } + }, + { "rename": { "field": "osquery.result.hostIdentifier", "target_field": "osquery.result.host_identifier", "ignore_missing": true } }, + { "rename": { "field": "osquery.result.calendarTime", "target_field": "osquery.result.calendar_time", "ignore_missing": true } }, + { "rename": { "field": "osquery.result.unixTime", "target_field": "osquery.result.unix_time", "ignore_missing": true } }, + { "json": { "field": "message", "target_field": "message3", "ignore_failure": true } }, + { "rename": { "field": "message3.columns.username", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "message3.columns.uid", "target_field": "user.uid", "ignore_missing": true } }, + { "rename": { "field": "message3.columns.gid", "target_field": "user.gid", "ignore_missing": true } }, + { "rename": { "field": "message3.columns.shell", "target_field": "user.shell", "ignore_missing": true } }, + { "rename": { "field": "message3.columns.cmdline", "target_field": "process.command_line", "ignore_missing": true } }, + { "rename": { "field": "message3.columns.pid", "target_field": "process.pid", "ignore_missing": true } }, + { "rename": { "field": "message3.columns.parent", "target_field": "process.ppid", "ignore_missing": true } }, + { "rename": { "field": "message3.columns.cwd", "target_field": "process.working_directory", "ignore_missing": true } }, + { "remove": { "field": [ "message3"], "ignore_failure": false } }, + { "pipeline": { "name": "common" } } + ] +} \ No newline at end of file diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 129223381..826073856 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -146,7 +146,9 @@ filebeat.inputs: paths: - /nsm/osquery/fleet/result.log fields: - type: osquery + module: osquery + dataset: query_result + category: host processors: - drop_fields: @@ -192,6 +194,9 @@ output.elasticsearch: - index: "so-ossec-%{+yyyy.MM.dd}" when.contains: module: "ossec" + - index: "so-osquery-%{+yyyy.MM.dd}" + when.contains: + module: "osquery" #output.logstash: # Boolean flag to enable or disable the output module. diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 25fbbdd14..38fd72b32 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -59,7 +59,7 @@ so-filebeat: - /opt/so/log/suricata:/suricata:ro - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro - /opt/so/wazuh/logs/archives:/wazuh/archives:ro - - /nsm/osquery/fleet/:/osquery/logs:ro + - /nsm/osquery/fleet/:/nsm/osquery/fleet:ro - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro diff --git a/salt/fleet/files/packs/hh/osquery.conf b/salt/fleet/files/packs/hh/osquery.conf index 232c8419c..2558efd88 100644 --- a/salt/fleet/files/packs/hh/osquery.conf +++ b/salt/fleet/files/packs/hh/osquery.conf @@ -5,11 +5,11 @@ spec: decorators: always: - SELECT codename FROM os_version; - - SELECT uuid AS LiveQuery FROM system_info; - - SELECT address AS EndpointIP1 FROM interface_addresses where address not + - SELECT uuid AS live_query FROM system_info; + - SELECT address AS endpoint_ip1 FROM interface_addresses where address not like '%:%' and address not like '127%' and address not like '169%' order by interface desc limit 1; - - SELECT address AS EndpointIP2 FROM interface_addresses where address not + - SELECT address AS endpoint_ip2 FROM interface_addresses where address not like '%:%' and address not like '127%' and address not like '169%' order by interface asc limit 1; - SELECT hardware_serial FROM system_info; diff --git a/salt/logstash/pipelines/templates/so/so-common-template.json b/salt/logstash/pipelines/templates/so/so-common-template.json index aef853387..83c2757c2 100644 --- a/salt/logstash/pipelines/templates/so/so-common-template.json +++ b/salt/logstash/pipelines/templates/so/so-common-template.json @@ -1,5 +1,5 @@ { - "index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*"], + "index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*"], "version":50001, "order" : 10, "settings":{