Skip to content

Instantly share code, notes, and snippets.

@tonymeehan
Last active April 8, 2020 14:28
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save tonymeehan/23f434b23265241274e76383bdc85561 to your computer and use it in GitHub Desktop.
Getting started with adding a new security data source in your Elastic SIEM - Filebeat configuration
filebeat.inputs:
- type: log
paths:
- /var/log/crowdstrike/falconhoseclient/output
multiline.pattern: '^{'
multiline.negate: true
multiline.match: after
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
cloud.id: "your cloud id goes here"
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
cloud.auth: "your cloud auth goes here"
output.elasticsearch:
pipeline: crowdstrike_falcon
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_kubernetes_metadata: ~
- decode_json_fields:
fields: ['message']
target: "crowdstrike"
- drop_fields:
fields: ['message']
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment