Logstash sysmon config working

- rearranged the sysmon logstash configuration and fixed syntax issues
- deleted separate configs per log names
- got it back to a few logstash configs only for now
keyword-vs-text-changes
Roberto Rodriguez 2017-12-05 20:15:21 -08:00
parent 8858c58e06
commit e36f6db4e9
9 changed files with 173 additions and 248 deletions

View File

@ -1,67 +1,162 @@
filter {
if [Channel] == "Microsoft-Windows-Sysmon/Operational" {
if [log_name] == "Microsoft-Windows-Sysmon/Operational"{
if [event_id] == 1 {
kv {
source => "[event_data][Hashes]"
field_split => ","
value_split => ":"
include_keys => ["SHA1", "MD5", "IMPHASH"]
}
value_split => "="
target => [hash]
}
mutate {
rename => { "[event_data][CommandLine" => "[process][commandline]" }
rename => { "[event_data][CurrentDirectory" => "current_directory" }
rename => { "[event_data][Hashes][SHA1]" => "sha1" }
rename => { "[event_data][Hashes][MD5]" => "md5" }
rename => { "[event_data][Hashes][IMPHASH]" => "imphash" }
rename => { "[event_data][Image]" => "process"}
rename => { "[event_data][ImageLoaded" => "[process][module][loaded]"}
rename => { "[event_data][Signature]" => "[process][module][signature]"}
rename => { "[event_data][Signature]" => "[process][module][signature][status]"}
rename => { "[event_data][Signature]" => "[process][module][signed"}
rename => { "[event_data][IntegrityLevel]" => "[integrity][level]"}
rename => { "[event_data][LogonGuid]" => "[logon][guid]"}
rename => { "[event_data][ParentCommandLine]" => "[parent][process][commandline]"}
rename => { "[event_data][ParentImage]" => "[parent][process]"}
rename => { "[event_data][ParentProcessGuid]" => "[parent][process][guid]"}
rename => { "[event_data][ParentProcessId]" => "[parent][process][id]"}
rename => { "[event_data][ProcessGuid]" => "[process][guid]"}
rename => { "[event_data][ProcessId]" => "[process][id]"}
rename => { "[event_data][TerminalSessionId]" => "[terminal][session][id]"}
rename => { "[event_data][User]" => "user" }
rename => { "[event_data][NewThreatId]" => "[process][module][threadid]" }
rename => { "[event_data][StartAddress]" => "[process][module][start][address]" }
rename => { "[event_data][StartFunction]" => "[process][module][start][function]" }
rename => { "[event_data][StartModule]" => "[process][module][start]" }
rename => { "[event_data][Device]" => "Device" }
rename => { "[event_data][TargetFilename]" => "[file][name]" }
rename => { "[event_data][CreationUtcTime]" => "[file][time][creation]" }
rename => { "[event_data][CallTrace]" => "[process][access][calltrace]" }
rename => { "[event_data][GrantedAccess]" => "[process][access][code]" }
rename => { "[event_data][SourceImage]" => "[process][source]" }
rename => { "[event_data][SourceProcessGUID]" => "[process][source][guid]" }
rename => { "[event_data][SourceProcessId]" => "[process][source][id]" }
rename => { "[event_data][SourceThreadId]" => "[process][source][threatid]" }
rename => { "[event_data][TargetImage]" => "[process][target]" }
rename => { "[event_data][TargetProcessGUID]" => "[process][target][guid]" }
rename => { "[event_data][TargetProcessId]" => "[process][target][id]" }
rename => { "[event_data][DestinationHostname]" => "[destination][hostname]" }
rename => { "[event_data][DestinationIp]" => "[destination][ip]" }
rename => { "[event_data][DestinationIsIpv6]" => "[destination][is][ipv6]" }
rename => { "[event_data][DestinationPort]" => "[destination][port][number]" }
rename => { "[event_data][DestinationPortName]" => "[destination][port][name]" }
rename => { "[event_data][Initiated]" => "initiated" }
rename => { "[event_data][Protocol]" => "protocol" }
rename => { "[event_data][SourceHostname]" => "[source][hostname]" }
rename => { "[event_data][SourceIp]" => "[source][ip]" }
rename => { "[event_data][SourceIsIpv6]" => "[source][is][ipv6]" }
rename => { "[event_data][SourcePort]" => "[source][port][number]" }
rename => { "[event_data][SourcePortName]" => "[source][port][name]" }
rename => { "[event_data][EventType]" => "[registry][event][type]" }
rename => { "[event_data][TargetObject]" => "[registry][key]" }
rename => { "[event_data][Details]" => "[registry][details]" }
rename => { "[event_data][PipeName]" => "[pipe][name]" }
rename => { "[event_data][UtcTime]" => "[event][timestamp][utc]"}
remove_field => "[event_data][Hashes]"
}
mutate {
rename => {
"[event_data][CommandLine]" => "[process][commandline]"
"[event_data][CurrentDirectory]" => "[process][currentdirectory]"
"[event_data][Image]" => "[process][name]"
"[event_data][ParentImage]" => "[process][parent][name]"
"[event_data][ParentCommandLine]" => "[process][parent][commandline]"
"[event_data][IntegrityLevel]" => "[process][integritylevel]"
"[event_data][LogonGuid]" => "[process][logonguid]"
"[event_data][LogonId]" => "[process][logonid]"
"[event_data][ParentProcessGuid]" => "[process][parent][guid]"
"[event_data][ParentProcessId]" => "[process][parent][id]"
"[event_data][ProcessGuid]" => "[process][guid]"
"[event_data][ProcessId]" => "[process][id]"
"[event_data][TerminalSessionId]" => "[process][terminalsessionid]"
"[event_data][User]" => "username"
}
remove_field => ["message"]
}
}
if [event_id] == 3 {
mutate {
rename => {
"[event_data][DestinationHostname]" => "[destination][hostname]"
"[event_data][DestinationIp]" => "[destination][ip]"
"[event_data][DestinationIsIpv6]" => "[destination][isipv6]"
"[event_data][DestinationPort]" => "[destination][port][number]"
"[event_data][DestinationPortName]" => "[destination][port][name]"
"[event_data][Image]" => "[process][name]"
"[event_data][Initiated]" => "[network][initiated]"
"[event_data][ProcessGuid]" => "[process][guid]"
"[event_data][ProcessId]" => "[process][id]"
"[event_data][Protocol]" => "[network][protocol]"
"[event_data][SourceHostname]" => "[source][hostname]"
"[event_data][SourceIp]" => "[source][ip]"
"[event_data][SourceIsIpv6]" => "[source][isipv6]"
"[event_data][SourcePort]" => "[source][port][number]"
"[event_data][SourcePortName]" => "[source][port][name]"
"[event_data][User]" => "username"
}
remove_field => ["message"]
}
}
if [event_id] == 7 {
kv {
source => "[event_data][Hashes]"
field_split => ","
value_split => "="
target => [hash]
}
mutate {
remove_field => "[event_data][Hashes]"
}
mutate {
rename => {
"[event_data][Image]" => "[process][name]"
"[event_data][ProcessGuid]" => "[process][guid]"
"[event_data][ProcessId]" => "[process][id]"
"[event_data][ImageLoaded]" => "[process][image][loaded]"
"[event_data][Signature]" => "[process][image][signature]"
"[event_data][SignatureStatus]" => "[process][image][signaturestatus]"
"[event_data][Signed]" => "[process][image][signed]"
}
remove_field => ["message"]
}
}
if [event_id] == 8 {
mutate {
rename => {
"[event_data][NewThreadId]" => "[process][newthreadid]"
"[event_data][SourceImage]" => "[process][source][image]"
"[event_data][SourceProcessGuid]" => "[process][source][guid]"
"[event_data][SourceProcessId]" => "[process][source][id]"
"[event_data][StartAddress]" => "[process][startaddress]"
"[event_data][StartFunction]" => "[process][startfunction]"
"[event_data][StartModule]" => "[process][startimage]"
"[event_data][TargetImage]" => "[process][target][image]"
"[event_data][TargetProcessGuid]" => "[process][target][guid]"
"[event_data][TargetProcessId]" => "[process][target][id]"
}
remove_field => ["message"]
}
}
if [event_id] == 9 {
mutate {
rename => {
"[event_data][Device]" => "[rawaccess][read][[device]"
"[event_data][Image]" => "[process][name]"
"[event_data][ProcessGuid]" => "[process][guid]"
"[event_data][ProcessId]" => "[process][id]"
}
remove_field => ["message"]
}
}
if [event_id] == 10 {
mutate {
rename => {
"[event_data][CallTrace]" => "[process][calltrace]"
"[event_data][GrantedAccess]" => "[process][grantedaccess]"
"[event_data][SourceImage]" => "[process][source][image]"
"[event_data][SourceProcessGUID]" => "[process][source][guid]"
"[event_data][SourceProcessId]" => "[process][source][id]"
"[event_data][SourceThreadId]" => "[process][source][threadid]"
"[event_data][TargetImage]" => "[process][target][image]"
"[event_data][TargetProcessGUID]" => "[process][target][guid]"
"[event_data][TargetProcessId]" => "[process][target][id]"
}
remove_field => ["message"]
}
}
if [event_id] == 11 {
mutate {
rename => {
"[event_data][CreationUtcTime]" => "[file][creationtime][utc]"
"[event_data][Image]" => "[process][name]"
"[event_data][ProcessGuid]" => "[process][guid]"
"[event_data][ProcessId]" => "[process][id]"
"[event_data][TargetFilename]" => "[file][name]"
}
remove_field => ["message"]
}
}
if [event_id] == 12 or [event_id] == 13 {
mutate {
rename => {
"[event_data][EventType]" => "[registry][eventtype]"
"[event_data][Image]" => "[process][name]"
"[event_data][ProcessGuid]" => "[process][guid]"
"[event_data][ProcessId]" => "[process][id]"
"[event_data][TargetObject]" => "[registry][target][object]"
"[event_data][Details]" => "[registry][details]"
}
remove_field => ["message"]
}
}
if [event_id] == 18 or [event_id] == 17 {
mutate {
rename => {
"[event_data][Image]" => "[process][name]"
"[event_data][ProcessGuid]" => "[process][guid]"
"[event_data][ProcessId]" => "[process][id]"
"[event_data][PipeName]" => "[pipe][name]"
}
remove_field => ["message"]
}
}
mutate { rename => { "[event_data][UtcTime]" => "[event][creationtime][utc]" } }
}
}

View File

@ -1,49 +1,11 @@
output {
if [@metadata][source] == "winlogbeat" {
if [Channel] == "Microsoft-Windows-Sysmon/Operational" {
elasticsearch {
hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
sniffing => true
manage_template => false
index => "windows_sysmon-%{+YYYY.MM.dd}"
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
if [Channel] == "System" {
elasticsearch {
hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
sniffing => true
manage_template => false
index => "windows_system-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
if [Channel] == "Security"{
elasticsearch {
hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
sniffing => true
manage_template => false
index => "windows_security-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
if [Channel] == "Application"{
elasticsearch {
hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
sniffing => true
manage_template => false
index => "windows_application-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
if [Channel] == "Microsoft-Windows-PowerShell/Operational"{
elasticsearch {
hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
sniffing => true
manage_template => false
index => "windows_powershell-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
}
}

View File

@ -1,13 +0,0 @@
output {
if [@metadata][source] == "winlogbeat" {
if [Channel] == "Microsoft-Windows-Sysmon/Operational" {
elasticsearch {
hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
sniffing => true
manage_template => false
index => "windows_sysmon-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
}
}

View File

@ -1,13 +0,0 @@
output {
if [@metadata][source] == "winlogbeat" {
if [Channel] == "System" {
elasticsearch {
hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
sniffing => true
manage_template => false
index => "windows_system-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
}
}

View File

@ -1,13 +0,0 @@
output {
if [@metadata][source] == "winlogbeat" {
if [Channel] == "Security"{
elasticsearch {
hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
sniffing => true
manage_template => false
index => "windows_security-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
}
}

View File

@ -1,13 +0,0 @@
output {
if [@metadata][source] == "winlogbeat" {
if [Channel] == "Application"{
elasticsearch {
hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
sniffing => true
manage_template => false
index => "windows_application-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
}
}

View File

@ -1,13 +0,0 @@
output {
if [@metadata][source] == "winlogbeat" {
if [Channel] == "Microsoft-Windows-PowerShell/Operational"{
elasticsearch {
hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
sniffing => true
manage_template => false
index => "windows_powershell-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
}
}

View File

@ -1,67 +0,0 @@
filter {
if [Channel] == "Microsoft-Windows-Sysmon/Operational" {
if [event_id] == 1 {
kv {
source => "[event_data][Hashes]"
field_split => ","
value_split => ":"
include_keys => ["SHA1", "MD5", "IMPHASH"]
}
}
mutate {
rename => { "[event_data][CommandLine" => "[process][commandline]" }
rename => { "[event_data][CurrentDirectory" => "current_directory" }
rename => { "[event_data][Hashes][SHA1]" => "sha1" }
rename => { "[event_data][Hashes][MD5]" => "md5" }
rename => { "[event_data][Hashes][IMPHASH]" => "imphash" }
rename => { "[event_data][Image]" => "process"}
rename => { "[event_data][ImageLoaded" => "[process][module][loaded]"}
rename => { "[event_data][Signature]" => "[process][module][signature]"}
rename => { "[event_data][Signature]" => "[process][module][signature][status]"}
rename => { "[event_data][Signature]" => "[process][module][signed"}
rename => { "[event_data][IntegrityLevel]" => "[integrity][level]"}
rename => { "[event_data][LogonGuid]" => "[logon][guid]"}
rename => { "[event_data][ParentCommandLine]" => "[parent][process][commandline]"}
rename => { "[event_data][ParentImage]" => "[parent][process]"}
rename => { "[event_data][ParentProcessGuid]" => "[parent][process][guid]"}
rename => { "[event_data][ParentProcessId]" => "[parent][process][id]"}
rename => { "[event_data][ProcessGuid]" => "[process][guid]"}
rename => { "[event_data][ProcessId]" => "[process][id]"}
rename => { "[event_data][TerminalSessionId]" => "[terminal][session][id]"}
rename => { "[event_data][User]" => "user" }
rename => { "[event_data][NewThreatId]" => "[process][module][threadid]" }
rename => { "[event_data][StartAddress]" => "[process][module][start][address]" }
rename => { "[event_data][StartFunction]" => "[process][module][start][function]" }
rename => { "[event_data][StartModule]" => "[process][module][start]" }
rename => { "[event_data][Device]" => "Device" }
rename => { "[event_data][TargetFilename]" => "[file][name]" }
rename => { "[event_data][CreationUtcTime]" => "[file][time][creation]" }
rename => { "[event_data][CallTrace]" => "[process][access][calltrace]" }
rename => { "[event_data][GrantedAccess]" => "[process][access][code]" }
rename => { "[event_data][SourceImage]" => "[process][source]" }
rename => { "[event_data][SourceProcessGUID]" => "[process][source][guid]" }
rename => { "[event_data][SourceProcessId]" => "[process][source][id]" }
rename => { "[event_data][SourceThreadId]" => "[process][source][threatid]" }
rename => { "[event_data][TargetImage]" => "[process][target]" }
rename => { "[event_data][TargetProcessGUID]" => "[process][target][guid]" }
rename => { "[event_data][TargetProcessId]" => "[process][target][id]" }
rename => { "[event_data][DestinationHostname]" => "[destination][hostname]" }
rename => { "[event_data][DestinationIp]" => "[destination][ip]" }
rename => { "[event_data][DestinationIsIpv6]" => "[destination][is][ipv6]" }
rename => { "[event_data][DestinationPort]" => "[destination][port][number]" }
rename => { "[event_data][DestinationPortName]" => "[destination][port][name]" }
rename => { "[event_data][Initiated]" => "initiated" }
rename => { "[event_data][Protocol]" => "protocol" }
rename => { "[event_data][SourceHostname]" => "[source][hostname]" }
rename => { "[event_data][SourceIp]" => "[source][ip]" }
rename => { "[event_data][SourceIsIpv6]" => "[source][is][ipv6]" }
rename => { "[event_data][SourcePort]" => "[source][port][number]" }
rename => { "[event_data][SourcePortName]" => "[source][port][name]" }
rename => { "[event_data][EventType]" => "[registry][event][type]" }
rename => { "[event_data][TargetObject]" => "[registry][key]" }
rename => { "[event_data][Details]" => "[registry][details]" }
rename => { "[event_data][PipeName]" => "[pipe][name]" }
rename => { "[event_data][UtcTime]" => "[event][timestamp][utc]"}
}
}
}