Skip to content

Instantly share code, notes, and snippets.

@Kvetch

Kvetch/SysmonBeats_Procmon_Bro-ELK.json

Created May 9, 2017 02:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save Kvetch/ecd9cfeef4d7488a896e32af95c0d606 to your computer and use it in GitHub Desktop.
Save Kvetch/ecd9cfeef4d7488a896e32af95c0d606 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
SysmonBeats_Procmon_Bro-ELK.json
input {
beats {
type => "beats"
port => 5044
#codec => json
}
file {
type => "procmon"
############ CHANGE ###################
path => "/ELK/Analysis/LogFile.CSV"
############## ME ####################
start_position => "beginning"
sincedb_path => "/dev/null"
}
file {
type => "Bro"
############ CHANGE ###################
path => "/ELK/Analysis/Pcap/*.log"
############## ME ####################
start_position => beginning
codec => json
sincedb_path => "/dev/null"
}
}
filter {
if [type] == "procmon" {
csv {
separator => ","
############ CHANGE ###################
columns => ["Time of Day","Process Name","PID","Operation","Path","Result","Detail","Event Class","Sequence","Image Path","Company","Description","Version","User","Session","Command Line","TID","Virtualized","Integrity","Category","Parent PID"]
############## ME ####################
}
mutate {
convert => {
"PID" => "integer"
"TID" => "integer"
"Parent PID" => "integer"
"Virtualized" => "boolean"
"Session" => "integer"
"Sequence" => "integer"
"Duration" => "float"
}
remove_field => ['message']
}
if "PM" in [Time of Day]
{
mutate {
gsub => ["Time of Day", ".{7}$", ""]
split => ["Date & Time", " "]
add_field => ["Time", "%{[Date & Time][0]} %{[Time of Day]} PM"]
}
}
if "AM" in [Time of Day]
{
mutate {
gsub => ["Time of Day", ".{7}$", ""]
split => ["Date & Time", " "]
add_field => ["Time", "%{[Date & Time][0]} %{[Time of Day]} AM"]
}
}
date {
match => ["Time", "MM/dd/YYYY hh:mm:ss.SSS aa"]
target => "@timestamp"
}
if [Event Class] == "Network"
{
mutate {
split => ["Path", "->"]
}
if "Send" in [Operation]
{
mutate {
add_field => ["src_ip", "%{[Path][0]}"]
add_field => ["dst_ip", "%{[Path][1]}"]
}
}
if "Receive" in [Operation]
{
mutate {
add_field => ["dst_ip", "%{[Path][0]}"]
add_field => ["src_ip", "%{[Path][1]}"]
}
}
}
mutate {
remove_field => ['Time of Day', 'Date & Time', 'Time']
}
}
if [type] == "bro-logs" {
date {
match => [ "ts", "UNIX" ]
target => "@timestamp"
remove_field => [ "ts" ]
}
if [log_path] == "weird" {
de_dot {
fields => [
"id.orig_p",
"id.resp_p"
]
}
}
if [log_path] == "software" {
de_dot {
fields => [
"version.major",
"version.minor",
"version.minor2",
"version.minor3",
"version.addl"
]
}
}
if [log_path] == "x509" {
de_dot {
fields => [
"certificate.version",
"certificate.serial",
"certificate.subject",
"certificate.issuer",
"certificate.exponent",
"certificate.curve",
"sans.dns",
"basic_constraints.ca"
]
}
}
if [log_path] == "intel" {
de_dot {
fields => [
"seen.indicator",
"seen.where",
"seen.node"
]
}
}
mutate {
rename => ["id.orig_p", "src_port"]
rename => ["id.resp_p", "dst_port"]
rename => ["id.orig_h", "src_ip"]
rename => ["id.resp_h", "dst_ip"]
}
}
if [type] == "beats" {
mutate {
rename => ["client_ip", "src_ip"]
rename => ["source.ip", "src_ip"]
rename => ["client_port", "src_port"]
rename => ["source.port", "src_port"]
rename => ["dest.port", "dst_port"]
rename => ["port", "dst_port"]
rename => ["dest.ip", "dst_ip"]
rename => ["ip", "dst_ip"]
}
}
}
output
{
if [type] == "procmon" {
elasticsearch {
hosts => "localhost"
index => "procmon"
document_type => "Procmon"
template => "/Applications/ELK/confs/procmon.mappings"
template_overwrite => true
}
}
if [type] == "Bro" {
elasticsearch {
hosts => "localhost"
index => "bro"
document_type => "Bro"
}
}
else {
elasticsearch {
hosts => "localhost"
index => "beats"
document_type => "Beats"
}
}
stdout {}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment