diff --git a/docker/helk-kibana-analysis-alert-basic.yml b/docker/helk-kibana-analysis-alert-basic.yml index 4760350..596b7fe 100644 --- a/docker/helk-kibana-analysis-alert-basic.yml +++ b/docker/helk-kibana-analysis-alert-basic.yml @@ -43,6 +43,7 @@ services: ports: - "5044:5044" - "8531:8531" + - "3515:3515" restart: always depends_on: - helk-kibana @@ -103,7 +104,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor KAFKA_HEAP_OPTS: -Xmx1G -Xms1G LOG_RETENTION_HOURS: 4 ports: diff --git a/docker/helk-kibana-analysis-alert-trial.yml b/docker/helk-kibana-analysis-alert-trial.yml index 2ec8cc9..69e9d5d 100644 --- a/docker/helk-kibana-analysis-alert-trial.yml +++ b/docker/helk-kibana-analysis-alert-trial.yml @@ -45,6 +45,7 @@ services: ports: - "5044:5044" - "8531:8531" + - "3515:3515" restart: always depends_on: - helk-kibana @@ -104,7 +105,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor KAFKA_HEAP_OPTS: -Xmx1G -Xms1G LOG_RETENTION_HOURS: 4 ports: diff --git a/docker/helk-kibana-analysis-basic.yml b/docker/helk-kibana-analysis-basic.yml index 3f94d74..378b48f 100644 --- a/docker/helk-kibana-analysis-basic.yml +++ b/docker/helk-kibana-analysis-basic.yml @@ -43,6 +43,7 @@ services: ports: - "5044:5044" - "8531:8531" + - "3515:3515" restart: always depends_on: - helk-kibana @@ -103,7 +104,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor KAFKA_HEAP_OPTS: -Xmx1G -Xms1G LOG_RETENTION_HOURS: 4 ports: diff --git a/docker/helk-kibana-analysis-trial.yml b/docker/helk-kibana-analysis-trial.yml index df9b442..0423977 100644 --- a/docker/helk-kibana-analysis-trial.yml +++ b/docker/helk-kibana-analysis-trial.yml @@ -45,6 +45,7 @@ services: ports: - "5044:5044" - "8531:8531" + - "3515:3515" restart: always depends_on: - helk-kibana @@ -104,7 +105,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor KAFKA_HEAP_OPTS: -Xmx1G -Xms1G LOG_RETENTION_HOURS: 4 ports: diff --git a/docker/helk-kibana-notebook-analysis-alert-basic.yml b/docker/helk-kibana-notebook-analysis-alert-basic.yml index 7708f27..54b1b26 100644 --- a/docker/helk-kibana-notebook-analysis-alert-basic.yml +++ b/docker/helk-kibana-notebook-analysis-alert-basic.yml @@ -43,6 +43,7 @@ services: ports: - "5044:5044" - "8531:8531" + - "3515:3515" restart: always depends_on: - helk-kibana @@ -103,7 +104,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor KAFKA_HEAP_OPTS: -Xmx1G -Xms1G LOG_RETENTION_HOURS: 4 ports: diff --git a/docker/helk-kibana-notebook-analysis-alert-trial.yml b/docker/helk-kibana-notebook-analysis-alert-trial.yml index e69d359..f1c682b 100644 --- a/docker/helk-kibana-notebook-analysis-alert-trial.yml +++ b/docker/helk-kibana-notebook-analysis-alert-trial.yml @@ -45,6 +45,7 @@ services: ports: - "5044:5044" - "8531:8531" + - "3515:3515" restart: always depends_on: - helk-kibana @@ -105,7 +106,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor KAFKA_HEAP_OPTS: -Xmx1g -Xms1g LOG_RETENTION_HOURS: 4 ports: diff --git a/docker/helk-kibana-notebook-analysis-basic.yml b/docker/helk-kibana-notebook-analysis-basic.yml index 6e288e2..5a5ce19 100644 --- a/docker/helk-kibana-notebook-analysis-basic.yml +++ b/docker/helk-kibana-notebook-analysis-basic.yml @@ -43,6 +43,7 @@ services: ports: - "5044:5044" - "8531:8531" + - "3515:3515" restart: always depends_on: - helk-kibana @@ -103,7 +104,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor KAFKA_HEAP_OPTS: -Xmx1G -Xms1G LOG_RETENTION_HOURS: 4 ports: diff --git a/docker/helk-kibana-notebook-analysis-trial.yml b/docker/helk-kibana-notebook-analysis-trial.yml index 6650f51..f2b8807 100644 --- a/docker/helk-kibana-notebook-analysis-trial.yml +++ b/docker/helk-kibana-notebook-analysis-trial.yml @@ -45,6 +45,7 @@ services: ports: - "5044:5044" - "8531:8531" + - "3515:3515" restart: always depends_on: - helk-kibana @@ -105,7 +106,7 @@ services: REPLICATION_FACTOR: 1 ADVERTISED_LISTENER: ${ADVERTISED_LISTENER} ZOOKEEPER_NAME: helk-zookeeper - KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat + KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor KAFKA_HEAP_OPTS: -Xmx1g -Xms1g LOG_RETENTION_HOURS: 4 ports: diff --git a/docker/helk-logstash/pipeline/0006-nxlog-mordor-input.conf b/docker/helk-logstash/pipeline/0006-nxlog-mordor-input.conf new file mode 100644 index 0000000..7c81ee9 --- /dev/null +++ b/docker/helk-logstash/pipeline/0006-nxlog-mordor-input.conf @@ -0,0 +1,12 @@ +# HELK NXLog Windows Logs Syslog TCP Mordor input conf +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g) +# License: GPL-3.0 + +input { + tcp { + port => 3515 + type => "nxlog-mordor" + codec => json { charset => "CP1252" } + } +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/0099-all-fingerprint-hash-filter.conf b/docker/helk-logstash/pipeline/0099-all-fingerprint-hash-filter.conf index ebcc232..3384365 100644 --- a/docker/helk-logstash/pipeline/0099-all-fingerprint-hash-filter.conf +++ b/docker/helk-logstash/pipeline/0099-all-fingerprint-hash-filter.conf @@ -67,7 +67,7 @@ filter { } } - else if [Message] { + else if [Message] and [type] != "nxlog-mordor" { fingerprint { source => "Message" target => "[@metadata][log_hash]" diff --git a/docker/helk-logstash/pipeline/8802-meta-powershell-enrichment_and_additions-filter.conf b/docker/helk-logstash/pipeline/8802-meta-powershell-enrichment_and_additions-filter.conf index 3adad72..43cc30d 100644 --- a/docker/helk-logstash/pipeline/8802-meta-powershell-enrichment_and_additions-filter.conf +++ b/docker/helk-logstash/pipeline/8802-meta-powershell-enrichment_and_additions-filter.conf @@ -4,33 +4,33 @@ # License: GPL-3.0 filter { + if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell" { + # Per Roberto's desire to have certain things like powershell non ascii and other enrichment's kept outside of the main powershell logstash config + # we are going to perform that enrichment in the config file previously, -- however in that file we are storing the field with, zDamTyILGeKD4H0.IbPK6g, appended [@metadata] + # this is so that users/whom-ever will the have option to delete this section and the field would get dropped during logstash output because appended with [@metadata] + # and also so we don't have to perform another for loop all over again (save some cycles on the hardware ;) - # Per Roberto's desire to have certain things like powershell non ascii and other enrichment's kept outside of the main powershell logstash config - # we are going to perform that enrichment in the config file previously, -- however in that file we are storing the field with, zDamTyILGeKD4H0.IbPK6g, appended [@metadata] - # this is so that users/whom-ever will the have option to delete this section and the field would get dropped during logstash output because appended with [@metadata] - # and also so we don't have to perform another for loop all over again (save some cycles on the hardware ;) + # 4103 + if [@metadata][powershell_param_value_has_non_ascii] != "" { + mutate { + copy => { "[@metadata][powershell_param_value_has_non_ascii]" => "meta_powershell_param_value_has_non_ascii" } + add_field => { "z_logstash_pipeline" => "copy-8802-001" } + } + } - # 4103 - if [@metadata][powershell_param_value_has_non_ascii] != "" { - mutate { - copy => { "[@metadata][powershell_param_value_has_non_ascii]" => "meta_powershell_param_value_has_non_ascii" } - add_field => { "z_logstash_pipeline" => "copy-8802-001" } + # 4104 + if [@metadata][powershell_scriptblock_text_has_non_ascii] != "" { + mutate { + copy => { "[@metadata][powershell_scriptblock_text_has_non_ascii]" => "meta_powershell_scriptblock_text_has_non_ascii" } + add_field => { "z_logstash_pipeline" => "copy-8802-002" } + } + } + + if [@metadata][powershell_scriptblock_text_length] { + mutate { + copy => { "[@metadata][powershell_scriptblock_text_length]" => "meta_powershell_scriptblock_text_length" } + add_field => { "z_logstash_pipeline" => "copy-8802-003" } + } } } - - # 4104 - if [@metadata][powershell_scriptblock_text_has_non_ascii] != "" { - mutate { - copy => { "[@metadata][powershell_scriptblock_text_has_non_ascii]" => "meta_powershell_scriptblock_text_has_non_ascii" } - add_field => { "z_logstash_pipeline" => "copy-8802-002" } - } - } - - if [@metadata][powershell_scriptblock_text_length] { - mutate { - copy => { "[@metadata][powershell_scriptblock_text_length]" => "meta_powershell_scriptblock_text_length" } - add_field => { "z_logstash_pipeline" => "copy-8802-003" } - } - } - } \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/9964-nxlog-mordor-output.conf b/docker/helk-logstash/pipeline/9964-nxlog-mordor-output.conf new file mode 100644 index 0000000..d2806f5 --- /dev/null +++ b/docker/helk-logstash/pipeline/9964-nxlog-mordor-output.conf @@ -0,0 +1,14 @@ +# HELK NXLog Windows Logs Syslog TCP Mordor Output conf +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g) +# License: GPL-3.0 + +output { + if [type] == "nxlog-mordor" { + kafka { + bootstrap_servers => "helk-kafka-broker:9092" + codec => "json" + topic_id => "nxlog_mordor" + } + } +} \ No newline at end of file