Created
October 9, 2019 12:36
-
-
Save AndyThirtover/e719f44a2860ef351a78e41183c41991 to your computer and use it in GitHub Desktop.
Osirium PxM Platform configuration for Elastic Stack to generate Notifications to Slack
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input { | |
tcp { | |
port => your_port_number | |
tags => [ "Osirium PxM Platform", "pxm", "pxm.your.domain" ] | |
} | |
} | |
filter { | |
if "pxm.your.domain" in [tags] { | |
grok { | |
match => ["message", '^{"args": %{GREEDYDATA:Osirium_JSON_Format}, "name": "%{GREEDYDATA:Osirium_Task_Action}"}$'] | |
} | |
json { | |
source => "Osirium_JSON_Format" | |
} | |
mutate { | |
rename => {"account_name" => "Osirium_Device_Account_Name"} | |
rename => {"actioned_by_user_display_name" => "Osirium_Actioned_By_Display_Name"} | |
rename => {"actioned_by_username" => "Osirium_Actioned_By"} | |
rename => {"device_address" => "Osirium_Device_Address"} | |
rename => {"device_display_name" => "Osirium_Device_Display_Name"} | |
rename => {"device_hostname" => "Osirium_Device_Hostname"} | |
rename => {"device_name" => "Osirium_Device_Name"} | |
rename => {"address" => "Osirium_Client_IP_Address"} | |
rename => {"fingerprint" => "Osirium_Fingerprint"} | |
rename => {"connecting" => "Osirium_Is_Connecting"} | |
rename => {"protocol" => "Osirium_Protocol"} | |
rename => {"task_display_name" => "Osirium_Task_Display_Name"} | |
rename => {"task_name" => "Osirium_Task_Name"} | |
rename => {"outcome" => "Osirium_Outcome"} | |
rename => {"auth_service_name" => "Osirium_AuthServiceName"} | |
rename => {"username" => "Osirium_Usernames"} | |
rename => {"user_display_name" => "Osirium_User_Display_Name"} | |
rename => {"expires_at" => "Osirium_Expires_At"} | |
rename => {"enabled" => "Osirium_Enabled"} | |
rename => {"email_address" => "Osirium_Email_Address"} | |
rename => {"auth_type" => "Osirium_Auth_Type"} | |
rename => {"added_entity_display_names" => "Osirium_Entity_Display_Name"} | |
rename => {"added_entity_names" => "Osirium_Added_Group"} | |
rename => {"profile_display_name" => "Osirium_Profile_Display_Name"} | |
rename => {"profile_name" => "Osirium_Profile_Name"} | |
rename => {"removed_entity_display_names" => "Osirium_Removed_Entity_Display_Names"} | |
rename => {"removed_entity_names" => "Osirium_Removed_Entity_Names"} | |
rename => {"template_name" => "Osirium_Template_Name"} | |
rename => {"template_vendor" => "Osirium_Template_Vendor"} | |
rename => {"template_version" => "Osirium_Template_Version"} | |
rename => {"forced" => "Osirium_Forced"} | |
rename => {"user_display_names" => "Osirium_User_Display_Name"} | |
rename => {"user_group_name" => "Osirium_User_Group_Name"} | |
rename => {"usernames" => "Osirium_Usernames"} | |
rename => {"change_ticket_names" => "Osirium_Ticket_Name"} | |
rename => {"client_address" => "Osirium_Client_IP_Address"} | |
rename => {"role_name" => "Osirium_Role_Name"} | |
rename => {"connection_id" => "Osirium_ConnectionID"} | |
rename => {"parameter_name" => "Osirium_Parameter_Name"} | |
remove_field => ["Osirium_JSON_Format"] | |
} | |
} | |
} | |
output { | |
#Osirium user revealed password devices only | |
if "ip_addr-x.x.x.x" in [host] and 'UserRevealedSecrets' in [message] and 'auth_service_name' not in [message] { | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['User: %{Osirium_Actioned_By_Display_Name} Revealed password on Device called "%{Osirium_Device_Display_Name}" Device Account Name: %{Osirium_Device_Account_Name} IP/FQDN: %{Osirium_Device_Address}'] | |
} | |
} | |
#Osirium user revealed password vault | |
if "ip_addr-x.x.x.x" in [host] and 'UserRevealedSecrets' in [message] and 'auth_service_name' in [message] { | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['User: %{Osirium_Actioned_By_Display_Name} Revealed password on Vault called: "%{Osirium_AuthServiceName}" Vault Account Name: %{Osirium_Device_Account_Name}'] | |
} | |
} | |
#User Created Group | |
if "ip_addr-x.x.x.x" in [host] and 'UserCreatedUserGroup' in [message] and 'user_group_name' in [message]{ | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['User: %{Osirium_Actioned_By_Display_Name} Created Group: "%{Osirium_User_Group_Name}"'] | |
} | |
} | |
#User Deleted Group | |
if "ip_addr-x.x.x.x" in [host] and 'UserDeletedUserGroup' in [message] and 'user_group_name' in [message]{ | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['User: %{Osirium_Actioned_By_Display_Name} Removed Group: "%{Osirium_User_Group_Name}"'] | |
} | |
} | |
#User Modified Group | |
if "ip_addr-x.x.x.x" in [host] and 'UserUpdatedUserGroup' in [message] { | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['User: %{Osirium_Actioned_By_Display_Name} Modified Group: "%{Osirium_User_Group_Name}"'] | |
} | |
} | |
#User Deleted Profile | |
if "ip_addr-x.x.x.x" in [host] and 'UserRequestedProfileDeletion' in [message] { | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['User: %{Osirium_Actioned_By_Display_Name} Deleted Profile: "%{Osirium_Profile_Display_Name}"'] | |
} | |
} | |
#UserCreatedUser | |
if "ip_addr-x.x.x.x" in [host] and 'UserCreatedUser' in [message] and 'email_address' in [message] { | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['User: %{Osirium_Actioned_By_Display_Name} Created User: "%{Osirium_User_Display_Name}" (Email Address: %{Osirium_Email_Address}, Expires at: %{Osirium_Expires_At}, Authentification Method: %{Osirium_Auth_Type}, Enabled: %{Osirium_Enabled} )'] | |
} | |
} | |
#UserDeletedUser | |
if "ip_addr-x.x.x.x" in [host] and 'UserStartedDeletingUser' in [message] { | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['User: %{Osirium_Actioned_By_Display_Name} Deleted User: "%{Osirium_User_Display_Name}"'] | |
} | |
} | |
#Osirium updated profile | |
if "ip_addr-x.x.x.x" in [host] and 'UserUpdatedProfileMemberships' in [message] { | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['User: %{Osirium_Actioned_By_Display_Name} Updated Profile %{Osirium_Profile_Display_Name} (User Removed: %{Osirium_Removed_Entity_Display_Names} | User Added: %{Osirium_Entity_Display_Name})'] | |
} | |
} | |
#Osirium provision device | |
if "ip_addr-x.x.x.x" in [host] and 'UserProvisionedDevice' in [message] { | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['User: %{Osirium_Actioned_By_Display_Name} Provisioned Device: "%{Osirium_Device_Display_Name}" (IP/FQDN: %{Osirium_Device_Address} Hostname: %{Osirium_Device_Hostname} Control Account: %{Osirium_AuthServiceName} Template: %{Osirium_Template_Name})'] | |
} | |
} | |
#User Unprovision Device | |
if "ip_addr-x.x.x.x" in [host] and 'UserUnprovisionedDevice' in [message] { | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['User: %{Osirium_Actioned_By_Display_Name} Unprovisioned Device: "%{Osirium_Device_Display_Name}" (IP/FQDN: %{Osirium_Device_Address} Hostname: %{Osirium_Device_Hostname} Force Remove: %{Osirium_Forced})'] | |
} | |
} | |
#Fingerprint failed | |
if "ip_addr-x.x.x.x" in [host] and 'FingerprintVerificationFailure' in [message] { | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['Device: %{Osirium_Device_Address} Failed fingerprint verification (Protocol: %{Osirium_Protocol}, Port: %{Osirium_Port}, Connection allowed: %{Osirium_Is_Connecting}'] | |
} | |
} | |
#Osirium Parameter Changed | |
if "ip_addr-x.x.x.x" in [host] and 'DeviceParameterChanged' in [message] { | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['%{Osirium_Device_Display_Name} %{Osirium_Device_Address} Parameter %{Osirium_Parameter_Name} changed Check your pxm for more details.'] | |
} | |
} | |
#Osirium Outcome failure | |
if "ip_addr-x.x.x.x" in [host] and '"outcome": "failure"' in [message] { | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['%{Osirium_Actioned_By_Display_Name} executed task %{Osirium_Task_Display_Name} against %{Osirium_Device_Display_Name} (Outcome %{Osirium_Outcome}, Device Address %{Osirium_Device_Address} )'] | |
} | |
} | |
#Local monitoring important for infrastructure | |
#domain_controller01 | |
if "ip_addr-x.x.x.x" in [host] and "UserConnectedToDevice" in [message] and "domain_controller01.your.domain" in [Osirium_Device_Address] and "pxm.your.domain" in [tags] { | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['User: %{Osirium_Device_Account_Name} (actionedby: %{Osirium_Actioned_By}) Has Connected to %{Osirium_Device_Display_Name} (Protocol: %{Osirium_Protocol}, IP/FQDN: %{Osirium_Device_Address}, Connection ID %{Osirium_ConnectionID})'] | |
} | |
} | |
#domain_controller02 | |
if "ip_addr-x.x.x.x" in [host] and "UserConnectedToDevice" in [message] and "domain_controller02.your.domain" in [Osirium_Device_Address] and "pxm.your.domain" in [tags] { | |
slack { | |
url => "https://hooks.slack.com/services/your_slack_webhooks" | |
username => "ELK Stack Osirium Reporter" | |
format => ['User: %{Osirium_Device_Account_Name} (actionedby: %{Osirium_Actioned_By}) Has Connected to %{Osirium_Device_Display_Name} (Protocol: %{Osirium_Protocol}, IP/FQDN: %{Osirium_Device_Address}, Connection ID %{Osirium_ConnectionID})'] | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment