mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
osquery ingest - initial support
This commit is contained in:
Josh Brower
26
salt/elasticsearch/files/ingest/osquery.query_result
Normal file
26
salt/elasticsearch/files/ingest/osquery.query_result
Normal file
@@ -0,0 +1,26 @@
|
|||||||
|
{
|
||||||
|
"description" : "osquery",
|
||||||
|
"processors" : [
|
||||||
|
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||||
|
{
|
||||||
|
"script": {
|
||||||
|
"lang": "painless",
|
||||||
|
"source": "def dict = ['result': new HashMap()]; for (entry in ctx['message2'].entrySet()) { dict['result'][entry.getKey()] = entry.getValue(); } ctx['osquery'] = dict; "
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{ "rename": { "field": "osquery.result.hostIdentifier", "target_field": "osquery.result.host_identifier", "ignore_missing": true } },
|
||||||
|
{ "rename": { "field": "osquery.result.calendarTime", "target_field": "osquery.result.calendar_time", "ignore_missing": true } },
|
||||||
|
{ "rename": { "field": "osquery.result.unixTime", "target_field": "osquery.result.unix_time", "ignore_missing": true } },
|
||||||
|
{ "json": { "field": "message", "target_field": "message3", "ignore_failure": true } },
|
||||||
|
{ "rename": { "field": "message3.columns.username", "target_field": "user.name", "ignore_missing": true } },
|
||||||
|
{ "rename": { "field": "message3.columns.uid", "target_field": "user.uid", "ignore_missing": true } },
|
||||||
|
{ "rename": { "field": "message3.columns.gid", "target_field": "user.gid", "ignore_missing": true } },
|
||||||
|
{ "rename": { "field": "message3.columns.shell", "target_field": "user.shell", "ignore_missing": true } },
|
||||||
|
{ "rename": { "field": "message3.columns.cmdline", "target_field": "process.command_line", "ignore_missing": true } },
|
||||||
|
{ "rename": { "field": "message3.columns.pid", "target_field": "process.pid", "ignore_missing": true } },
|
||||||
|
{ "rename": { "field": "message3.columns.parent", "target_field": "process.ppid", "ignore_missing": true } },
|
||||||
|
{ "rename": { "field": "message3.columns.cwd", "target_field": "process.working_directory", "ignore_missing": true } },
|
||||||
|
{ "remove": { "field": [ "message3"], "ignore_failure": false } },
|
||||||
|
{ "pipeline": { "name": "common" } }
|
||||||
|
]
|
||||||
|
}
|
||||||
@@ -146,7 +146,9 @@ filebeat.inputs:
|
|||||||
paths:
|
paths:
|
||||||
- /nsm/osquery/fleet/result.log
|
- /nsm/osquery/fleet/result.log
|
||||||
fields:
|
fields:
|
||||||
type: osquery
|
module: osquery
|
||||||
|
dataset: query_result
|
||||||
|
category: host
|
||||||
|
|
||||||
processors:
|
processors:
|
||||||
- drop_fields:
|
- drop_fields:
|
||||||
@@ -192,6 +194,9 @@ output.elasticsearch:
|
|||||||
- index: "so-ossec-%{+yyyy.MM.dd}"
|
- index: "so-ossec-%{+yyyy.MM.dd}"
|
||||||
when.contains:
|
when.contains:
|
||||||
module: "ossec"
|
module: "ossec"
|
||||||
|
- index: "so-osquery-%{+yyyy.MM.dd}"
|
||||||
|
when.contains:
|
||||||
|
module: "osquery"
|
||||||
|
|
||||||
#output.logstash:
|
#output.logstash:
|
||||||
# Boolean flag to enable or disable the output module.
|
# Boolean flag to enable or disable the output module.
|
||||||
|
|||||||
@@ -59,7 +59,7 @@ so-filebeat:
|
|||||||
- /opt/so/log/suricata:/suricata:ro
|
- /opt/so/log/suricata:/suricata:ro
|
||||||
- /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro
|
- /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro
|
||||||
- /opt/so/wazuh/logs/archives:/wazuh/archives:ro
|
- /opt/so/wazuh/logs/archives:/wazuh/archives:ro
|
||||||
- /nsm/osquery/fleet/:/osquery/logs:ro
|
- /nsm/osquery/fleet/:/nsm/osquery/fleet:ro
|
||||||
- /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
|
- /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
|
||||||
- /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
|
- /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
|
||||||
- /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
|
- /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
|
||||||
|
|||||||
@@ -5,11 +5,11 @@ spec:
|
|||||||
decorators:
|
decorators:
|
||||||
always:
|
always:
|
||||||
- SELECT codename FROM os_version;
|
- SELECT codename FROM os_version;
|
||||||
- SELECT uuid AS LiveQuery FROM system_info;
|
- SELECT uuid AS live_query FROM system_info;
|
||||||
- SELECT address AS EndpointIP1 FROM interface_addresses where address not
|
- SELECT address AS endpoint_ip1 FROM interface_addresses where address not
|
||||||
like '%:%' and address not like '127%' and address not like '169%' order by
|
like '%:%' and address not like '127%' and address not like '169%' order by
|
||||||
interface desc limit 1;
|
interface desc limit 1;
|
||||||
- SELECT address AS EndpointIP2 FROM interface_addresses where address not
|
- SELECT address AS endpoint_ip2 FROM interface_addresses where address not
|
||||||
like '%:%' and address not like '127%' and address not like '169%' order by
|
like '%:%' and address not like '127%' and address not like '169%' order by
|
||||||
interface asc limit 1;
|
interface asc limit 1;
|
||||||
- SELECT hardware_serial FROM system_info;
|
- SELECT hardware_serial FROM system_info;
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
{
|
{
|
||||||
"index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*"],
|
"index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*"],
|
||||||
"version":50001,
|
"version":50001,
|
||||||
"order" : 10,
|
"order" : 10,
|
||||||
"settings":{
|
"settings":{
|
||||||
|
|||||||
Reference in New Issue
Block a user