Created
February 28, 2019 01:45
-
-
Save defensivedepth/4642b59c8bc94293139781b78a0e1d02 to your computer and use it in GitHub Desktop.
Logstash Filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 2/19, @DefensiveDepth | |
# Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io) | |
filter { | |
if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" { | |
# Use the http filter to query the relevant extension data using the identifier and version | |
# Dump the report data & headers into new fields, CE-Raw & CE-Headers | |
http { | |
url => "https://api.crxcavator.io/v1/report/%{[osquery][columns][identifier]}/%{[osquery][columns][version]}" | |
target_body => ["CE-Raw"] | |
target_headers => ["CE-Headers"] | |
} | |
# Copy out the data we want and then delete the raw fields | |
# Format the CE-Report as a URL in Kibana and easily pivot to the full report | |
mutate { | |
copy => {"[CE-Raw][data][risk][total]" => "[CE-Risk]" } | |
copy => {"[CE-Raw][data][webstore][rating]" => "[CE-Rating]" } | |
copy => {"[CE-Raw][data][webstore][rating_users]" => "[CE-RatingUsers]" } | |
copy => {"[CE-Raw][data][webstore][users]" => "[CE-Users]" } | |
add_field => { "[CE-Report]" => "https://crxcavator.io/report/%{[osquery][columns][identifier]}/%{[osquery][columns][version]}"} | |
remove_field => [ "CE-Raw","CE-Headers" ] | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment