Skip to content

Instantly share code, notes, and snippets.

@defensivedepth
Created February 28, 2019 01:45
Show Gist options
  • Save defensivedepth/4642b59c8bc94293139781b78a0e1d02 to your computer and use it in GitHub Desktop.
Save defensivedepth/4642b59c8bc94293139781b78a0e1d02 to your computer and use it in GitHub Desktop.
Logstash Filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)
# 2/19, @DefensiveDepth
# Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)
filter {
if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" {
# Use the http filter to query the relevant extension data using the identifier and version
# Dump the report data & headers into new fields, CE-Raw & CE-Headers
http {
url => "https://api.crxcavator.io/v1/report/%{[osquery][columns][identifier]}/%{[osquery][columns][version]}"
target_body => ["CE-Raw"]
target_headers => ["CE-Headers"]
}
# Copy out the data we want and then delete the raw fields
# Format the CE-Report as a URL in Kibana and easily pivot to the full report
mutate {
copy => {"[CE-Raw][data][risk][total]" => "[CE-Risk]" }
copy => {"[CE-Raw][data][webstore][rating]" => "[CE-Rating]" }
copy => {"[CE-Raw][data][webstore][rating_users]" => "[CE-RatingUsers]" }
copy => {"[CE-Raw][data][webstore][users]" => "[CE-Users]" }
add_field => { "[CE-Report]" => "https://crxcavator.io/report/%{[osquery][columns][identifier]}/%{[osquery][columns][version]}"}
remove_field => [ "CE-Raw","CE-Headers" ]
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment