Skip to content

Instantly share code, notes, and snippets.

@tonymeehan
Last active January 21, 2021 08:22
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save tonymeehan/2cdf235c82192fcaa58787f6bb552ffb to your computer and use it in GitHub Desktop.
Getting started with adding a new security data source in your Elastic SIEM - Logstash configuration
input {
beats {
port => 5044
}
}
filter {
if [crowdstrike][metadata][eventType] != "DetectionSummaryEvent" {
drop { }
}
mutate {
copy => { '[crowdstrike][event][PatternDispositionDescription]' => '[event][action]' }
copy => { '[crowdstrike][event][Severity]' => '[event][severity]' }
copy => { '[crowdstrike][event][FalconHostLink]' => '[event][url]' }
copy => { '[crowdstrike][event][MD5String]' => '[file][hash][md5]' }
copy => { '[crowdstrike][event][SHA256String]' => '[file][hash][sha256]' }
copy => { '[crowdstrike][event][ComputerName]' => '[host][name]' }
rename => { '[crowdstrike][event][DetectDescription]' => '[message]' }
copy => { '[crowdstrike][event][CommandLine]' => '[process][command_line]' }
copy => { '[crowdstrike][event][FileName]' => '[process][name]' }
copy => { '[crowdstrike][event][DetectName]' => '[rule][name]' }
copy => { '[crowdstrike][event][Tactic]' => '[threat][tactic][name]' }
copy => { '[crowdstrike][event][Technique]' => '[threat][technique][name]' }
copy => { '[crowdstrike][event][MachineDomain]' => '[user][domain]' }
copy => { '[crowdstrike][event][UserName]' => '[user][name]' }
copy => { '[crowdstrike][event][SensorId]' => '[agent][id]' }
add_field => { '[event][kind]' => 'alert' }
add_field => { '[event][type]' => [ 'info' ] }
add_field => { '[event][category]' => [ 'malware' ] }
}
date {
match => ["[crowdstrike][metadata][eventCreationTime]", "UNIX_MS"]
target => "[@timestamp]"
}
}
output {
elasticsearch {
hosts => [""]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
user => "elastic"
password => ""
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment