Winlogbeat Development
Start a Windows VM
vagrant up win2012
Login Options
You can connect to the VM in multiple ways.
Andrew Kroh andrewkroh
andrewkroh
/ domain_rank_enrichment_pipeline.json
Last active Oct 11, 2019
Elasticsearch Ingest Node Enrich Processor Example - Top 1M Domain Ranks
View domain_rank_enrichment_pipeline.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PUT /_ingest/pipeline/domain_rank_enrichment | |
| { | |
| "description" : "Enriching domains with rank.", | |
| "processors" : [ | |
| { | |
| "enrich" : { | |
| "policy_name": "dns-domain-top1m-rank", | |
| "field" : "dns.question.name", | |
| "target_field": "_temp" | |
| } |
View msobjs.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| int ProcessBlock(MESSAGE_RESOURCE_DATA* data, MESSAGE_RESOURCE_BLOCK* block) | |
| { | |
| MESSAGE_RESOURCE_ENTRY* entry = (MESSAGE_RESOURCE_ENTRY*) ((unsigned char*)data + block->OffsetToEntries); | |
| for (DWORD id = block->LowId; id <= block->HighId; id++) | |
| { | |
| if (entry->Flags == 0x0001) // wide char | |
| printf("%d, %ls", id, entry->Text); |
View filebeat-cisco-ios.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var processor = require("processor"); | |
| var filebeatCisco = (function() { | |
| var parseCiscoHeader = new processor.Dissect({ | |
| "tokenizer": "%{}%%{cisco.log.facility}-%{cisco.log.severity}-%{event.code}: %{message}", | |
| "field": "log.original", | |
| "target_prefix": "", | |
| }).Run; | |
| var coerceDataTypes = new processor.Transform([ |
View geoip-asn-pipeline.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "description": "Add Geo and ASN to event", | |
| "processors": [ | |
| { | |
| "geoip": { | |
| "if": "ctx.source?.geo == null", | |
| "field": "source.ip", | |
| "target_field": "source.geo", | |
| "ignore_missing": true | |
| } |
andrewkroh
/ event1.json
Last active Oct 2, 2020
Winlogbeat - Sysmon Processing for ECS (Elastic Common Schema)
View event1.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "@timestamp": "2019-01-29T19:10:47.538Z", | |
| "beat": { | |
| "hostname": "DESKTOP", | |
| "name": "DESKTOP", | |
| "version": "6.3.2" | |
| }, | |
| "event": { | |
| "kind": "event" | |
| }, |
View winlogbeat_testing.md
View elastic-beat-development-101.md
Elastic Beats Development 101
This is a short guide to get up and building Elastic Beats on a new Linux host.
Start a VM
This uses Google Compute Engine (GCE) to start an Ubuntu 20.04 virtual machine. You can use other versions of Linux or different virtualization platforms (or no virtualization), but those are not guaranteed to work with the commands here.
gcloud auth login
View packetbeat-tls-event.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "@metadata": { | |
| "beat": "packetbeat", | |
| "type": "doc", | |
| "version": "7.0.0-alpha1" | |
| }, | |
| "@timestamp": "2018-08-01T18:10:48.311Z", | |
| "beat": { | |
| "hostname": "macbook", | |
| "name": "macbook", |
andrewkroh
/ packetbeat-dhcpv4-nak-decline.json
Last active Jul 26, 2018
New DHCP Client Detected on Network - Elasticsearch Alerting Watch
View packetbeat-dhcpv4-nak-decline.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| POST _xpack/watcher/watch/packetbeat-dhcpv4-nak-decline | |
| { | |
| "metadata": { | |
| "window_period": "1m", | |
| "index_pattern": "packetbeat-*" | |
| }, | |
| "trigger": { | |
| "schedule": { | |
| "interval": "1m" | |
| } |
andrewkroh
/ Slack Notification
Last active Jul 8, 2018
Heartbeat ICMP Alerting with Elastic X-Pack Watcher
View Slack Notification
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://twitter.com/Krohbird/status/849749788920877056 |