# ─────────────────────────────────────────────────────────────────────────────────────────────────── # ─██████████████─████████████████───██████──────────██████─██████████████─██████████─██████████████─ # ─██░░░░░░░░░░██─██░░░░░░░░░░░░██───██░░██████████████░░██─██░░░░░░░░░░██─██░░░░░░██─██░░░░░░░░░░██─ # ─██░░██████░░██─██░░████████░░██───██░░░░░░░░░░░░░░░░░░██─██░░██████░░██─████░░████─██░░██████████─ # ─██░░██──██░░██─██░░██────██░░██───██░░██████░░██████░░██─██░░██──██░░██───██░░██───██░░██───────── # ─██░░██████░░██─██░░████████░░██───██░░██──██░░██──██░░██─██░░██████░░██───██░░██───██░░██████████─ # ─██░░░░░░░░░░██─██░░░░░░░░░░░░██───██░░██──██░░██──██░░██─██░░░░░░░░░░██───██░░██───██░░░░░░░░░░██─ # ─██░░██████░░██─██░░██████░░████───██░░██──██████──██░░██─██░░██████░░██───██░░██───██░░██████████─ # ─██░░██──██░░██─██░░██──██░░██─────██░░██──────────██░░██─██░░██──██░░██───██░░██───██░░██───────── # ─██░░██──██░░██─██░░██──██░░██████─██░░██──────────██░░██─██░░██──██░░██─████░░████─██░░██████████─ # ─██░░██──██░░██─██░░██──██░░░░░░██─██░░██──────────██░░██─██░░██──██░░██─██░░░░░░██─██░░░░░░░░░░██─ # ─██████──██████─██████──██████████─██████──────────██████─██████──██████─██████████─██████████████─ # ─────────────────────────────────────────────────────────────────────────────────────────────────── [sources.ie_{{pk}}_socket_source] type = "syslog" address = '0.0.0.0:{{port}}' mode = "udp" # 1. Check is message CEF [transforms.ie_{{pk}}_cef_filter] type="filter" inputs=["ie_{{pk}}_socket_source"] condition = ''' match(string!(.message),r'^*CEF:.*')''' # Parse data from socket [transforms.ie_{{pk}}_parse_logs] type = "remap" inputs = ["ie_{{pk}}_cef_filter"] source = ''' . |= parse_regex!(.message,r'CEF:\d+\|(?P([^\|]*))\|(?P([^\|]*))\|(?P([^\|]*))\|(?P([^\|]*))\|(?P([^\|]*))\|(?P([^\|]*))\|(?P.*)') .@timestamp = now() .@timestamp = format_timestamp!(to_timestamp(.@timestamp), format: "%+") .aggregated = "false" .orig_message = .message .device_vendor = "Infowatch ARMA" .format = "CEF" .source_ip=.host .source_host=.host .source_ip = .host .event_severity = .severity .sign_category = .signature .event_src_msg = .message .destination_ip="127.0.0.1" .source_ip = .host .extension = strip_whitespace(.extension) .extension = strip_ansi_escape_codes(.extension) ''' #Check device product [transforms.ie_{{pk}}_check_device_product] type="lua" version="2" inputs=["ie_{{pk}}_parse_logs"] hooks.process =""" function(event,emit) if event.log["device_product"] == "ARMAIE" then event.log.type="endpoint_{{ pk }}" event.log.device_product = "Industrial Endpoint" emit(event) end end """ #Parse key value [transforms.ie_{{pk}}_parse_key_value] type="lua" version="2" inputs=["ie_{{pk}}_check_device_product"] hooks.process=""" function(event,emit) str=event.log["extension"] for name, value in str:gmatch"%s*([^=]*)=([^=]*)%f[%s%z]" do event.log[name]=value end emit(event) end """ {% if adjust_datetime == 1 %} [transforms.ie_{{pk}}_made_timestamp] type="remap" inputs=["ie_{{pk}}_parse_key_value"] source =""" .event_timestamp= now() .event_timestamp = format_timestamp!(.event_timestamp, format: "%+") """ {%else%} [transforms.ie_{{pk}}_made_timestamp] type="lua" version="2" inputs=["ie_{{pk}}_parse_key_value"] hooks.process = """ function(event,emit) local date_time = tonumber(event.log["rt"]) event.log.event_timestamp = os.date("%Y-%m-%dT%H:%M:%SZ",date_time) local date_str = event.log["event_timestamp"]:match("^+") if date_str ~= nil then m_date_time = date_time/1000 event.log.event_timestamp = os.date("!%Y-%m-%dT%H:%M:%SZ",m_date_time) end emit(event) end """ {%endif%} #Parse White list [transforms.ie_{{pk}}_parse_white_list] type="lua" version="2" inputs = ["ie_{{pk}}_made_timestamp"] hooks.process = """ function (event,emit) if event.log["name"] == "White list" then event.log.sign_category = "Whitelist" event.log.sign_name =event.log["act"]..":"..event.log["filePath"].."->"..event.log["cat"] event.log.device_action = "BLOCK" event.log.sign_subcategory = "ACCESS DENIED" end emit(event) end """ #Parse Integrity control [transforms.ie_{{pk}}_parse_integrity_control] type="lua" version="2" inputs=["ie_{{pk}}_parse_white_list"] hooks.process=""" function(event,emit) if event.log["name"] == "Integrity control" then event.log.sign_name = event.log["act"]..":"..event.log["filePath"]..","..event.log["fname"] event.log.sign_category = "Integrity control" end emit(event) end """ #Parse USB [transforms.ie_{{pk}}_parse_usb] type="lua" version="2" inputs=["ie_{{pk}}_parse_integrity_control"] hooks.process = """ function(event,emit) if event.log["name"] == "USB" then event.log.sign_name = "USB status="..event.log["act"] event.log.sign_category = "Usb devices" event.log.device_action = "Usb action" event.log.sign_subcategory = event.log["msg"] end emit(event) end """ #Parse antivirus [transforms.ie_{{pk}}_parse_antivirus] type="lua" version="2" inputs=["ie_{{pk}}_parse_usb"] hooks.process = """ function (event,emit) if event.log["name"] == "Antivirus" then if event.log["cs2"] ~= nil then cs2 = event.log["cs2"] end event.log.sign_category = "Antivirus" event.log.device_action = event.log["act"] event.log.sign_name = event.log["act"] event.log.sign_subcategory = event.log["act"] if event.log["cs1"] ~= nil then cs1 = event.log["cs1"] event.log.sign_name = event.log["act"]..":"..event.log["filePath"].." "..cs1.." "..cs2 end end emit(event) end """ #Check event type [transforms.ie_{{pk}}_check_event_type] type="lua" version="2" inputs=["ie_{{pk}}_parse_antivirus"] hooks.process=""" function(event,emit) if event.log["type"]:match("^endpoint_*") ~= nil then emit(event) end end """ #Create UUID [transforms.ie_{{pk}}_create_uuid] type = "remap" inputs=["ie_{{pk}}_check_event_type"] source = """ .event_id = uuid_v4() """ # Replace [transforms.ie_{{pk}}_replace] type="lua" version="2" inputs=["ie_{{pk}}_create_uuid"] hooks.process = """ function(event,emit) event.log.event_src_msg = event.log["orig_message"]:gsub("\u0000","") event.log.message = event.log["event_src_msg"] event.log.orig_message = event.log["message"] emit(event) end """ # Delete bad fields [transforms.ie_{{pk}}_prune_fields] type="lua" version="2" inputs=["ie_{{pk}}_replace"] source =""" function check_field(field) local fields_list = {'event_src_msg', 'event_severity', 'event_timestamp', 'event_id', 'device_vendor', 'sign_name', 'sign_subcategory', 'event_id', 'device_version', 'device_product', 'device_action', 'sign_id', 'message', 'sign_category', 'event_timestamp', '@timestamp', 'source_host', 'source_ip', 'destination_ip', 'format', 'type' } for key,value in pairs(fields_list) do if value == field then return true end end return false end function process (event,emit) for f, v in pairs(event.log) do if check_field(f) ~= true then --- print("delete-> "..f) event.log[f] = nil end end emit(event) end """ hooks.process="process" # Cast variables to the right types [transforms.ie_{{pk}}_cast_types] type="remap" inputs = ["ie_{{pk}}_prune_fields"] source = ''' .event_uuid = .event_id #.source_port = to_int!(.source_port) #.destination_port = to_int!(.destination_port) .aggregated = to_bool!(.aggregated) #.celery_done = to_bool!(.celery_done) .event_severity = to_int!(.event_severity ) .event_timestamp = to_timestamp!(.event_timestamp) .@timestamp = to_timestamp!(.@timestamp) ''' ## Print parsed logs to stdout #[sinks.ie_print] # type = "console" # inputs=["ie_cast_types"] # encoding.codec ="json" [sinks.ie_{{pk}}_elasticsearch_vector] type = "elasticsearch" inputs = ["ie_{{pk}}_cast_types"] compression = "none" healthcheck = true auth.strategy= "basic" auth.user = "{{ elastic_login }}" auth.password = "{{ elastic_pass }}" endpoint = "{{ elastic_url }}" normal.index = "arma-%Y.%m.%d" id_key = "event_uuid"