Logstash Filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)
| # 2/19, @DefensiveDepth | |
| # Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io) | |
| filter { | |
| if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" { | |
| # Use the http filter to query the relevant extension data using the identifier and version | |
| # Dump the report data & headers into new fields, CE-Raw & CE-Headers | |
| http { | |
| url => "https://api.crxcavator.io/v1/report/%{[osquery][columns][identifier]}/%{[osquery][columns][version]}" | |
| target_body => ["CE-Raw"] | |
| target_headers => ["CE-Headers"] | |
| } | |
| # Copy out the data we want and then delete the raw fields | |
| # Format the CE-Report as a URL in Kibana and easily pivot to the full report | |
| mutate { | |
| copy => {"[CE-Raw][data][risk][total]" => "[CE-Risk]" } | |
| copy => {"[CE-Raw][data][webstore][rating]" => "[CE-Rating]" } | |
| copy => {"[CE-Raw][data][webstore][rating_users]" => "[CE-RatingUsers]" } | |
| copy => {"[CE-Raw][data][webstore][users]" => "[CE-Users]" } | |
| add_field => { "[CE-Report]" => "https://crxcavator.io/report/%{[osquery][columns][identifier]}/%{[osquery][columns][version]}"} | |
| remove_field => [ "CE-Raw","CE-Headers" ] | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment