Logstash Filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)

Logstash-Filter.conf

# 2/19, @DefensiveDepth
# Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)

filter {

if  "^pack_server-windows_Chrome.*" =~  "[osquery][name]" {

# Use the http filter to query the relevant extension data using the identifier and version
# Dump the report data & headers into new fields, CE-Raw & CE-Headers
 http {
    url => "https://api.crxcavator.io/v1/report/%{[osquery][columns][identifier]}/%{[osquery][columns][version]}"
    target_body => ["CE-Raw"]
    target_headers => ["CE-Headers"]
}

# Copy out the data we want and then delete the raw fields
# Format the CE-Report as a URL in Kibana and easily pivot to the full report
   mutate {
     copy => {"[CE-Raw][data][risk][total]" => "[CE-Risk]" }
     copy => {"[CE-Raw][data][webstore][rating]" => "[CE-Rating]" }
     copy => {"[CE-Raw][data][webstore][rating_users]" => "[CE-RatingUsers]" }
     copy => {"[CE-Raw][data][webstore][users]" => "[CE-Users]" }

     add_field => { "[CE-Report]" => "https://crxcavator.io/report/%{[osquery][columns][identifier]}/%{[osquery][columns][version]}"}

     remove_field => [ "CE-Raw","CE-Headers" ]
        }
}

}