andrewkroh

{
    "description": "Add Geo and ASN to event",
    "processors": [
      {
        "geoip": {
          "if": "ctx.source?.geo == null",
          "field": "source.ip",
          "target_field": "source.geo",
          "ignore_missing": true
        }

andrewkroh

{
  "@timestamp": "2019-01-29T19:10:47.538Z",
  "beat": {
    "hostname": "DESKTOP",
    "name": "DESKTOP",
    "version": "6.3.2"
  },
  "event": {
    "kind": "event"
  },

andrewkroh

Winlogbeat Development

Start a Windows VM

vagrant up win2012

Login Options

You can connect to the VM in multiple ways.

andrewkroh

Elastic Beats Development 101

This is a short guide to get up and building Elastic Beats on a new Linux host.

Start a VM

This uses Google Compute Engine (GCE) to start an Ubuntu 20.04 virtual machine. You can use other versions of Linux or different virtualization platforms (or no virtualization), but those are not guaranteed to work with the commands here.

 gcloud auth login

andrewkroh

{
  "@metadata": {
    "beat": "packetbeat",
    "type": "doc",
    "version": "7.0.0-alpha1"
  },
  "@timestamp": "2018-08-01T18:10:48.311Z",
  "beat": {
    "hostname": "macbook",
    "name": "macbook",

andrewkroh

POST _xpack/watcher/watch/packetbeat-dhcpv4-nak-decline
{
  "metadata": {
    "window_period": "1m",
    "index_pattern": "packetbeat-*"
  },
  "trigger": {
    "schedule": {
      "interval": "1m"
    }

andrewkroh

https://twitter.com/Krohbird/status/849749788920877056

andrewkroh

seccomp:
  default_action: errno
  syscalls:
  - names:
    - accept
    - accept4
    - arch_prctl
    - bind
    - brk
    - clone

andrewkroh

Generating Seccomp BPF Filters with libbseccomp in Go

// +build linux

package main

import (
	"log"
	"os"

andrewkroh

{
  "@timestamp": "2018-04-08T19:29:14.461Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "doc",
    "version": "6.2.2"
  },
  "event": {
    "action": "violated-seccomp-policy",
    "module": "auditd",