Skip to content

Instantly share code, notes, and snippets.

Avatar

Tony Meehan tonymeehan

View GitHub Profile
@tonymeehan
tonymeehan / gist:2cdf235c82192fcaa58787f6bb552ffb
Last active Jan 21, 2021
Getting started with adding a new security data source in your Elastic SIEM - Logstash configuration
View gist:2cdf235c82192fcaa58787f6bb552ffb
input {
beats {
port => 5044
}
}
filter {
if [crowdstrike][metadata][eventType] != "DetectionSummaryEvent" {
drop { }
}
@tonymeehan
tonymeehan / gist:51b68ebde9f789ce50280cf115459773
Last active Apr 24, 2020
Getting started with adding a new security data source in your Elastic SIEM - Filebeat processors configuration
View gist:51b68ebde9f789ce50280cf115459773
filebeat.inputs:
- type: log
paths:
- /var/log/crowdstrike/falconhoseclient/output
multiline.pattern: '^{'
multiline.negate: true
multiline.match: after
@tonymeehan
tonymeehan / gist:23f434b23265241274e76383bdc85561
Last active Apr 8, 2020
Getting started with adding a new security data source in your Elastic SIEM - Filebeat configuration
View gist:23f434b23265241274e76383bdc85561
filebeat.inputs:
- type: log
paths:
- /var/log/crowdstrike/falconhoseclient/output
multiline.pattern: '^{'
multiline.negate: true
multiline.match: after
@tonymeehan
tonymeehan / gist:d920f6fd49e9fb25fd6312d311f9b45e
Last active Oct 14, 2021
Getting started with adding a new security data source in your Elastic SIEM - Ingest Pipeline
View gist:d920f6fd49e9fb25fd6312d311f9b45e
PUT _ingest/pipeline/crowdstrike_falcon
{
"processors":
[
{
"set": {
"field": "event.action",
"value": "{{crowdstrike.event.PatternDispositionDescription}}",
"if": "ctx.crowdstrike?.event?.PatternDispositionDescription != null"
}
View gist:f0728b97ba6d0b8537bcbd7db8ed25cb
{
"date": {
"field": "crowdstrike.metadata.eventCreationTime",
"target_field": "@timestamp",
"formats": ["UNIX_MS"],
"timezone": "UTC"
}
},
{
"set": {
View gist:34298b5bff737ee8475970a75308fdfa
output {
if [@metadata][pipeline] {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
user => "elastic"
password => "changeme"
pipeline => "%{[@metadata][pipeline]}"
}
} else {
View gist:4996a0cb4f1eb3362c41076b1ba34a99
- type: log
enabled: true
paths:
- /var/log/crowdstrike/falconhoseclient/output
multiline.pattern: '^{'
multiline.negate: true
multiline.match: after
multiline.max_lines: 5000
multiline.timeout: 10