Skip to content

Instantly share code, notes, and snippets.


Andrew Kroh andrewkroh

View GitHub Profile
andrewkroh / domain_rank_enrichment_pipeline.json
Last active Oct 11, 2019
Elasticsearch Ingest Node Enrich Processor Example - Top 1M Domain Ranks
View domain_rank_enrichment_pipeline.json
PUT /_ingest/pipeline/domain_rank_enrichment
"description" : "Enriching domains with rank.",
"processors" : [
"enrich" : {
"policy_name": "dns-domain-top1m-rank",
"field" : "",
"target_field": "_temp"
andrewkroh / msobjs.c
Created Jul 23, 2019
Extact the msobjs.dll message table
View msobjs.c
#include <windows.h>
#include <stdio.h>
MESSAGE_RESOURCE_ENTRY* entry = (MESSAGE_RESOURCE_ENTRY*) ((unsigned char*)data + block->OffsetToEntries);
for (DWORD id = block->LowId; id <= block->HighId; id++)
if (entry->Flags == 0x0001) // wide char
printf("%d, %ls", id, entry->Text);
andrewkroh / filebeat-cisco-ios.js
Created Feb 26, 2019
Javascript Processor Example
View filebeat-cisco-ios.js
var processor = require("processor");
var filebeatCisco = (function() {
var parseCiscoHeader = new processor.Dissect({
"tokenizer": "%{}%%{cisco.log.facility}-%{cisco.log.severity}-%{event.code}: %{message}",
"field": "log.original",
"target_prefix": "",
var coerceDataTypes = new processor.Transform([
andrewkroh / geoip-asn-pipeline.json
Created Feb 21, 2019
Ingest Node GeoIP and ASN
View geoip-asn-pipeline.json
"description": "Add Geo and ASN to event",
"processors": [
"geoip": {
"if": "ctx.source?.geo == null",
"field": "source.ip",
"target_field": "source.geo",
"ignore_missing": true
andrewkroh / event1.json
Last active Oct 2, 2020
Winlogbeat - Sysmon Processing for ECS (Elastic Common Schema)
View event1.json
"@timestamp": "2019-01-29T19:10:47.538Z",
"beat": {
"hostname": "DESKTOP",
"name": "DESKTOP",
"version": "6.3.2"
"event": {
"kind": "event"
andrewkroh /
Last active Jan 25, 2019
Winlogbeat Development

Winlogbeat Development

Start a Windows VM

vagrant up win2012

Login Options

You can connect to the VM in multiple ways.

andrewkroh /
Last active Mar 17, 2022
Elastic Beat Development 101

Elastic Beats Development 101

This is a short guide to get up and building Elastic Beats on a new Linux host.

Start a VM

This uses Google Compute Engine (GCE) to start an Ubuntu 20.04 virtual machine. You can use other versions of Linux or different virtualization platforms (or no virtualization), but those are not guaranteed to work with the commands here.

 gcloud auth login
andrewkroh / packetbeat-tls-event.json
Created Aug 1, 2018
Packetbeat TLS Event Example
View packetbeat-tls-event.json
"@metadata": {
"beat": "packetbeat",
"type": "doc",
"version": "7.0.0-alpha1"
"@timestamp": "2018-08-01T18:10:48.311Z",
"beat": {
"hostname": "macbook",
"name": "macbook",
andrewkroh / packetbeat-dhcpv4-nak-decline.json
Last active Jul 26, 2018
New DHCP Client Detected on Network - Elasticsearch Alerting Watch
View packetbeat-dhcpv4-nak-decline.json
POST _xpack/watcher/watch/packetbeat-dhcpv4-nak-decline
"metadata": {
"window_period": "1m",
"index_pattern": "packetbeat-*"
"trigger": {
"schedule": {
"interval": "1m"
andrewkroh / Slack Notification
Last active Jul 8, 2018
Heartbeat ICMP Alerting with Elastic X-Pack Watcher
View Slack Notification