Logstash Filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)
# 2/19, @DefensiveDepth | |
# Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io) | |
filter { | |
if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" { | |
# Use the http filter to query the relevant extension data using the identifier and version | |
# Dump the report data & headers into new fields, CE-Raw & CE-Headers | |
http { | |
url => "https://api.crxcavator.io/v1/report/%{[osquery][columns][identifier]}/%{[osquery][columns][version]}" | |
target_body => ["CE-Raw"] | |
target_headers => ["CE-Headers"] | |
} | |
# Copy out the data we want and then delete the raw fields | |
# Format the CE-Report as a URL in Kibana and easily pivot to the full report | |
mutate { | |
copy => {"[CE-Raw][data][risk][total]" => "[CE-Risk]" } | |
copy => {"[CE-Raw][data][webstore][rating]" => "[CE-Rating]" } | |
copy => {"[CE-Raw][data][webstore][rating_users]" => "[CE-RatingUsers]" } | |
copy => {"[CE-Raw][data][webstore][users]" => "[CE-Users]" } | |
add_field => { "[CE-Report]" => "https://crxcavator.io/report/%{[osquery][columns][identifier]}/%{[osquery][columns][version]}"} | |
remove_field => [ "CE-Raw","CE-Headers" ] | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment