CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update 9997_output_helix.conf

Browse Source
This commit is contained in:
Mike Reeves
2020-02-10 22:47:11 -05:00
committed by GitHub
parent 9e5c96ddfa
commit 521de8f154
1 changed files with 40 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
View File

@@ -3,7 +3,7 @@
{% set CBNAME = grains.host %} {% set CBNAME = grains.host %}
filter { filter {
if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ { if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509|suricata$/ {
grok { grok {
match => [ match => [
"source_ip", "^%{IPV4:srcipv4}$", "source_ip", "^%{IPV4:srcipv4}$",
@@ -17,28 +17,27 @@ filter {
] ]
} }
geoip { #geoip {
source => "[source_ip]" # source => "[source_ip]"
target => "source_geo" # target => "source_geo"
} #}
geoip { #geoip {
source => "[destination_ip]" # source => "[destination_ip]"
target => "destination_geo" # target => "destination_geo"
} #}
mutate { mutate {
#rename => { "%{[source_geo][country_code]}" => "srccountrycode" }
#rename => { "%{[destination_geo][country_code]}" => "dstcountrycode" }
rename => { "[beat_host][name]" => "sensor" } rename => { "[beat_host][name]" => "sensor" }
copy => { "sensor" => "rawmsghostname" } copy => { "sensor" => "rawmsghostname" }
rename => { "message" => "rawmsg" } rename => { "message" => "rawmsg" }
#rename => { "event_type" => "program" }
copy => { "type" => "class" } copy => { "type" => "class" }
copy => { "class" => "program"} copy => { "class" => "program"}
rename => { "source_port" => "srcport" } rename => { "source_port" => "srcport" }
rename => { "destination_port" => "dstport" } rename => { "destination_port" => "dstport" }
add_field => { "metacbid" => "{{ UNIQUEID }}"} rename => { "[log][file][path]" => "filepath" }
add_field => { "metacbname" => "{{ CBNAME }}"} add_field => { "meta_cbid" => "{{ UNIQUEID }}" }
remove_field => ["source_ip", "destination_ip"] add_field => { "meta_cbname" => "{{ CBNAME }}" }
remove_field => ["source_ip", "destination_ip", "syslog-host_from"]
remove_field => ["beat_host", "timestamp", "type", "log", "@version", "@timestamp"]
remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"] remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"]
remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"] remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"]
} }
@@ -56,6 +55,7 @@ filter {
rename => { "local_respond" => "local_resp" } rename => { "local_respond" => "local_resp" }
rename => { "local_orig" => "localorig" } rename => { "local_orig" => "localorig" }
rename => { "missed_bytes" => "missingbytes" } rename => { "missed_bytes" => "missingbytes" }
rename => { "connection_state_description" => "description" }
} }
} }
if "bro_dns" in [class] { if "bro_dns" in [class] {
@@ -69,21 +69,31 @@ filter {
rename => { "query_type_name" => "querytypename" } rename => { "query_type_name" => "querytypename" }
rename => { "ra" => "recursionavailable" } rename => { "ra" => "recursionavailable" }
rename => { "rd" => "recursiondesired" } rename => { "rd" => "recursiondesired" }
rename => { "uid" => "connectionid" }
rename => { "ttls" => "ttl" }
rename => { "transaction_id" => "transactionid" }
} }
} }
if "bro_dhcp" in [class] { if "bro_dhcp" in [class] {
mutate{ mutate{
#add_field = { "metaclass" => "dhcp"} #add_field = { "metaclass" => "dhcp"}
rename => { "message_types" => "direction" } rename => { "message_types" => "direction" }
rename => { "lease_time" => "duration" } rename => { "uid" => "connectionid" }
rename => { "lease_time" => "duration" }
} }
} }
if "bro_files" in [class] { if "bro_files" in [class] {
mutate{ mutate{
#add_field = { "metaclass" => "dns"} #add_field = { "metaclass" => "dns"}
rename => { "missing_bytes" => "missingbytes" } rename => { "missing_bytes" => "missingbytes" }
rename => { "seen_bytes" => "seenbytes" }
rename => { "overflow_bytes" => "overflowbytes" }
rename => { "fuid" => "fileid" } rename => { "fuid" => "fileid" }
rename => { "uid" => "connectionid" } rename => { "conn_uids" => "connectionid" }
rename => { "is_orig" => "isorig" }
rename => { "timed_out" => "timedout" }
rename => { "local_orig" => "localorig" }
rename => { "file_ip" => "tx_host" }
} }
} }
if "bro_http" in [class] { if "bro_http" in [class] {
@@ -98,7 +108,10 @@ filter {
rename => { "request_body_len" => "sentbodybytes" } rename => { "request_body_len" => "sentbodybytes" }
rename => { "uid" => "connectionid" } rename => { "uid" => "connectionid" }
rename => { "ts"=> "eventtime" } rename => { "ts"=> "eventtime" }
rename => { "@timestamp"=> "eventtime" } rename => { "@timestamp"=> "eventtime" }
rename => { "trans_depth" => "depth" }
rename => { "request_body_length" => "sentbodybytes" }
rename => { "response_body_length" => "rcvdbodybytes" }
} }
} }
if "bro_ssl" in [class] { if "bro_ssl" in [class] {
@@ -110,30 +123,31 @@ filter {
rename => { "resp_fuids" => "rcvdfileid" } rename => { "resp_fuids" => "rcvdfileid" }
rename => { "response_body_len" => "rcvdbodybytes" } rename => { "response_body_len" => "rcvdbodybytes" }
rename => { "request_body_len" => "sentbodybytes" } rename => { "request_body_len" => "sentbodybytes" }
rename => { "uid" => "connectionid" }
} }
} }
if "bro_weird" in [class] { if "bro_weird" in [class] {
mutate{ mutate{
#add_field = { "metaclass" => "dns"} #add_field = { "metaclass" => "dns"}
rename => { "name" => "eventname" } rename => { "name" => "eventname" }
} }
} }
if "bro_x509" in [class] { if "bro_x509" in [class] {
mutate{ mutate{
#add_field = { "metaclass" => "dns"} #add_field = { "metaclass" => "dns"}
rename => { "certificate_common_name" => "certname" } rename => { "certificate_common_name" => "certname" }
rename => { "certificate_subject" => "certsubject" } rename => { "certificate_subject" => "certsubject" }
rename => { "issuer_common_name" => "issuer" } rename => { "issuer_common_name" => "issuer" }
rename => { "certificate_issuer" => "issuersubject" } rename => { "certificate_issuer" => "issuersubject" }
rename => { "certificate_not_valid_before" => "issuetime" } rename => { "certificate_not_valid_before" => "issuetime" }
rename => { "certificate_key_type" => "cert_type" } rename => { "certificate_key_type" => "cert_type" }
} }
} }
} }
} }
output { output {
if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ { if [class] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509|suricata$/ {
http { http {
url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload" url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
http_method => post http_method => post