Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Getting started with adding a new security data source in your Elastic SIEM - Filebeat processors configuration
filebeat.inputs:
- type: log
paths:
- /var/log/crowdstrike/falconhoseclient/output
multiline.pattern: '^{'
multiline.negate: true
multiline.match: after
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
cloud.id: ""
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
cloud.auth: ""
#output.elasticsearch:
# pipeline: crowdstrike_falcon
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_kubernetes_metadata: ~
- decode_json_fields:
fields: ['message']
target: "crowdstrike"
- drop_fields:
fields: ['message']
- timestamp:
field: crowdstrike.metadata.eventCreationTime
target_field: "@timestamp"
layouts: UNIX_MS
timezone: UTC
ignore_missing: true
ignore_failure: true
- copy_fields:
fields:
- from: crowdstrike.event.PatternDispositionDescription
to: event.action
- from: crowdstrike.event.Severity
to: event.severity
- from: crowdstrike.event.FalconHostLink
to: event.url
- from: crowdstrike.event.MD5String
to: file.hash.md5
- from: crowdstrike.event.SHA256String
to: file.hash.sha256
- from: crowdstrike.event.ComputerName
to: host.name
- from: crowdstrike.event.CommandLine
to: process.command_line
- from: crowdstrike.event.FileName
to: process.name
- from: crowdstrike.event.DetectName
to: rule.name
- from: crowdstrike.event.Tactic
to: threat.tactic.name
- from: crowdstrike.event.Technique
to: threat.technique.name
- from: crowdstrike.event.MachineDomain
to: user.domain
- from: crowdstrike.event.UserName
to: user.name
- from: crowdstrike.event.SensorId
to: agent.id
ignore_missing: true
fail_on_error: false
- rename:
fields:
- from: crowdstrike.event.DetectDescription
to: message
ignore_missing: true
fail_on_error: false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment