Tony Meehan tonymeehan
tonymeehan
/ gist:2cdf235c82192fcaa58787f6bb552ffb
Last active
January 21, 2021 08:22
Getting started with adding a new security data source in your Elastic SIEM - Logstash configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| beats { | |
| port => 5044 | |
| } | |
| } | |
| filter { | |
| if [crowdstrike][metadata][eventType] != "DetectionSummaryEvent" { | |
| drop { } | |
| } |
tonymeehan
/ gist:51b68ebde9f789ce50280cf115459773
Last active
April 24, 2020 18:03
Getting started with adding a new security data source in your Elastic SIEM - Filebeat processors configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filebeat.inputs: | |
| - type: log | |
| paths: | |
| - /var/log/crowdstrike/falconhoseclient/output | |
| multiline.pattern: '^{' | |
| multiline.negate: true | |
| multiline.match: after |
tonymeehan
/ gist:23f434b23265241274e76383bdc85561
Last active
April 8, 2020 14:28
Getting started with adding a new security data source in your Elastic SIEM - Filebeat configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filebeat.inputs: | |
| - type: log | |
| paths: | |
| - /var/log/crowdstrike/falconhoseclient/output | |
| multiline.pattern: '^{' | |
| multiline.negate: true | |
| multiline.match: after |
tonymeehan
/ gist:d920f6fd49e9fb25fd6312d311f9b45e
Last active
October 14, 2021 12:19
Getting started with adding a new security data source in your Elastic SIEM - Ingest Pipeline
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PUT _ingest/pipeline/crowdstrike_falcon | |
| { | |
| "processors": | |
| [ | |
| { | |
| "set": { | |
| "field": "event.action", | |
| "value": "{{crowdstrike.event.PatternDispositionDescription}}", | |
| "if": "ctx.crowdstrike?.event?.PatternDispositionDescription != null" | |
| } |
tonymeehan
/ gist:f0728b97ba6d0b8537bcbd7db8ed25cb
Created
April 7, 2020 21:35
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "date": { | |
| "field": "crowdstrike.metadata.eventCreationTime", | |
| "target_field": "@timestamp", | |
| "formats": ["UNIX_MS"], | |
| "timezone": "UTC" | |
| } | |
| }, | |
| { | |
| "set": { |
tonymeehan
/ gist:34298b5bff737ee8475970a75308fdfa
Created
February 18, 2020 18:24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| output { | |
| if [@metadata][pipeline] { | |
| elasticsearch { | |
| hosts => ["http://localhost:9200"] | |
| index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" | |
| user => "elastic" | |
| password => "changeme" | |
| pipeline => "%{[@metadata][pipeline]}" | |
| } | |
| } else { |
tonymeehan
/ gist:4996a0cb4f1eb3362c41076b1ba34a99
Last active
February 27, 2020 14:51
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - type: log | |
| enabled: true | |
| paths: | |
| - /var/log/crowdstrike/falconhoseclient/output | |
| multiline.pattern: '^{' | |
| multiline.negate: true | |
| multiline.match: after | |
| multiline.max_lines: 5000 | |
| multiline.timeout: 10 |