Skip to content

Instantly share code, notes, and snippets.

@AndyThirtover

AndyThirtover/osirium.conf

Created October 9, 2019 12:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save AndyThirtover/e719f44a2860ef351a78e41183c41991 to your computer and use it in GitHub Desktop.
Save AndyThirtover/e719f44a2860ef351a78e41183c41991 to your computer and use it in GitHub Desktop.
Download ZIP
Osirium PxM Platform configuration for Elastic Stack to generate Notifications to Slack
Raw
osirium.conf
input {
tcp {
port => your_port_number
tags => [ "Osirium PxM Platform", "pxm", "pxm.your.domain" ]
}
}
filter {
if "pxm.your.domain" in [tags] {
grok {
match => ["message", '^{"args": %{GREEDYDATA:Osirium_JSON_Format}, "name": "%{GREEDYDATA:Osirium_Task_Action}"}$']
}
json {
source => "Osirium_JSON_Format"
}
mutate {
rename => {"account_name" => "Osirium_Device_Account_Name"}
rename => {"actioned_by_user_display_name" => "Osirium_Actioned_By_Display_Name"}
rename => {"actioned_by_username" => "Osirium_Actioned_By"}
rename => {"device_address" => "Osirium_Device_Address"}
rename => {"device_display_name" => "Osirium_Device_Display_Name"}
rename => {"device_hostname" => "Osirium_Device_Hostname"}
rename => {"device_name" => "Osirium_Device_Name"}
rename => {"address" => "Osirium_Client_IP_Address"}
rename => {"fingerprint" => "Osirium_Fingerprint"}
rename => {"connecting" => "Osirium_Is_Connecting"}
rename => {"protocol" => "Osirium_Protocol"}
rename => {"task_display_name" => "Osirium_Task_Display_Name"}
rename => {"task_name" => "Osirium_Task_Name"}
rename => {"outcome" => "Osirium_Outcome"}
rename => {"auth_service_name" => "Osirium_AuthServiceName"}
rename => {"username" => "Osirium_Usernames"}
rename => {"user_display_name" => "Osirium_User_Display_Name"}
rename => {"expires_at" => "Osirium_Expires_At"}
rename => {"enabled" => "Osirium_Enabled"}
rename => {"email_address" => "Osirium_Email_Address"}
rename => {"auth_type" => "Osirium_Auth_Type"}
rename => {"added_entity_display_names" => "Osirium_Entity_Display_Name"}
rename => {"added_entity_names" => "Osirium_Added_Group"}
rename => {"profile_display_name" => "Osirium_Profile_Display_Name"}
rename => {"profile_name" => "Osirium_Profile_Name"}
rename => {"removed_entity_display_names" => "Osirium_Removed_Entity_Display_Names"}
rename => {"removed_entity_names" => "Osirium_Removed_Entity_Names"}
rename => {"template_name" => "Osirium_Template_Name"}
rename => {"template_vendor" => "Osirium_Template_Vendor"}
rename => {"template_version" => "Osirium_Template_Version"}
rename => {"forced" => "Osirium_Forced"}
rename => {"user_display_names" => "Osirium_User_Display_Name"}
rename => {"user_group_name" => "Osirium_User_Group_Name"}
rename => {"usernames" => "Osirium_Usernames"}
rename => {"change_ticket_names" => "Osirium_Ticket_Name"}
rename => {"client_address" => "Osirium_Client_IP_Address"}
rename => {"role_name" => "Osirium_Role_Name"}
rename => {"connection_id" => "Osirium_ConnectionID"}
rename => {"parameter_name" => "Osirium_Parameter_Name"}
remove_field => ["Osirium_JSON_Format"]
}
}
}
output {
#Osirium user revealed password devices only
if "ip_addr-x.x.x.x" in [host] and 'UserRevealedSecrets' in [message] and 'auth_service_name' not in [message] {
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['User: %{Osirium_Actioned_By_Display_Name} Revealed password on Device called "%{Osirium_Device_Display_Name}" Device Account Name: %{Osirium_Device_Account_Name} IP/FQDN: %{Osirium_Device_Address}']
}
}
#Osirium user revealed password vault
if "ip_addr-x.x.x.x" in [host] and 'UserRevealedSecrets' in [message] and 'auth_service_name' in [message] {
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['User: %{Osirium_Actioned_By_Display_Name} Revealed password on Vault called: "%{Osirium_AuthServiceName}" Vault Account Name: %{Osirium_Device_Account_Name}']
}
}
#User Created Group
if "ip_addr-x.x.x.x" in [host] and 'UserCreatedUserGroup' in [message] and 'user_group_name' in [message]{
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['User: %{Osirium_Actioned_By_Display_Name} Created Group: "%{Osirium_User_Group_Name}"']
}
}
#User Deleted Group
if "ip_addr-x.x.x.x" in [host] and 'UserDeletedUserGroup' in [message] and 'user_group_name' in [message]{
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['User: %{Osirium_Actioned_By_Display_Name} Removed Group: "%{Osirium_User_Group_Name}"']
}
}
#User Modified Group
if "ip_addr-x.x.x.x" in [host] and 'UserUpdatedUserGroup' in [message] {
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['User: %{Osirium_Actioned_By_Display_Name} Modified Group: "%{Osirium_User_Group_Name}"']
}
}
#User Deleted Profile
if "ip_addr-x.x.x.x" in [host] and 'UserRequestedProfileDeletion' in [message] {
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['User: %{Osirium_Actioned_By_Display_Name} Deleted Profile: "%{Osirium_Profile_Display_Name}"']
}
}
#UserCreatedUser
if "ip_addr-x.x.x.x" in [host] and 'UserCreatedUser' in [message] and 'email_address' in [message] {
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['User: %{Osirium_Actioned_By_Display_Name} Created User: "%{Osirium_User_Display_Name}" (Email Address: %{Osirium_Email_Address}, Expires at: %{Osirium_Expires_At}, Authentification Method: %{Osirium_Auth_Type}, Enabled: %{Osirium_Enabled} )']
}
}
#UserDeletedUser
if "ip_addr-x.x.x.x" in [host] and 'UserStartedDeletingUser' in [message] {
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['User: %{Osirium_Actioned_By_Display_Name} Deleted User: "%{Osirium_User_Display_Name}"']
}
}
#Osirium updated profile
if "ip_addr-x.x.x.x" in [host] and 'UserUpdatedProfileMemberships' in [message] {
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['User: %{Osirium_Actioned_By_Display_Name} Updated Profile %{Osirium_Profile_Display_Name} (User Removed: %{Osirium_Removed_Entity_Display_Names} | User Added: %{Osirium_Entity_Display_Name})']
}
}
#Osirium provision device
if "ip_addr-x.x.x.x" in [host] and 'UserProvisionedDevice' in [message] {
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['User: %{Osirium_Actioned_By_Display_Name} Provisioned Device: "%{Osirium_Device_Display_Name}" (IP/FQDN: %{Osirium_Device_Address} Hostname: %{Osirium_Device_Hostname} Control Account: %{Osirium_AuthServiceName} Template: %{Osirium_Template_Name})']
}
}
#User Unprovision Device
if "ip_addr-x.x.x.x" in [host] and 'UserUnprovisionedDevice' in [message] {
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['User: %{Osirium_Actioned_By_Display_Name} Unprovisioned Device: "%{Osirium_Device_Display_Name}" (IP/FQDN: %{Osirium_Device_Address} Hostname: %{Osirium_Device_Hostname} Force Remove: %{Osirium_Forced})']
}
}
#Fingerprint failed
if "ip_addr-x.x.x.x" in [host] and 'FingerprintVerificationFailure' in [message] {
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['Device: %{Osirium_Device_Address} Failed fingerprint verification (Protocol: %{Osirium_Protocol}, Port: %{Osirium_Port}, Connection allowed: %{Osirium_Is_Connecting}']
}
}
#Osirium Parameter Changed
if "ip_addr-x.x.x.x" in [host] and 'DeviceParameterChanged' in [message] {
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['%{Osirium_Device_Display_Name} %{Osirium_Device_Address} Parameter %{Osirium_Parameter_Name} changed Check your pxm for more details.']
}
}
#Osirium Outcome failure
if "ip_addr-x.x.x.x" in [host] and '"outcome": "failure"' in [message] {
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['%{Osirium_Actioned_By_Display_Name} executed task %{Osirium_Task_Display_Name} against %{Osirium_Device_Display_Name} (Outcome %{Osirium_Outcome}, Device Address %{Osirium_Device_Address} )']
}
}
#Local monitoring important for infrastructure
#domain_controller01
if "ip_addr-x.x.x.x" in [host] and "UserConnectedToDevice" in [message] and "domain_controller01.your.domain" in [Osirium_Device_Address] and "pxm.your.domain" in [tags] {
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['User: %{Osirium_Device_Account_Name} (actionedby: %{Osirium_Actioned_By}) Has Connected to %{Osirium_Device_Display_Name} (Protocol: %{Osirium_Protocol}, IP/FQDN: %{Osirium_Device_Address}, Connection ID %{Osirium_ConnectionID})']
}
}
#domain_controller02
if "ip_addr-x.x.x.x" in [host] and "UserConnectedToDevice" in [message] and "domain_controller02.your.domain" in [Osirium_Device_Address] and "pxm.your.domain" in [tags] {
slack {
url => "https://hooks.slack.com/services/your_slack_webhooks"
username => "ELK Stack Osirium Reporter"
format => ['User: %{Osirium_Device_Account_Name} (actionedby: %{Osirium_Actioned_By}) Has Connected to %{Osirium_Device_Display_Name} (Protocol: %{Osirium_Protocol}, IP/FQDN: %{Osirium_Device_Address}, Connection ID %{Osirium_ConnectionID})']
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment