first version

parsers/carbonblack/cbdefense.conf

@@ -0,0 +1,160 @@
+# Licensed to empow under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. empow licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+
+input{
+  pipeline{
+    address => cbdefense_pipeline
+  }
+}
+
+filter {
+  csv {
+    separator => "|"
+    quote_char => "|"
+    columns => [
+      "column1", 
+      "column2", 
+      "column3", 		 
+      "column4", 
+      "productVersion",    #col 5 - ready
+      "[event][category]", #col 6 - ready
+      "[event][description]", #col 7 - additional processing is made below
+      "[event][severity]",   #col 8 - additional processing is made below
+      "metadata"]         #col 9 - remaining key-value fields...
+  }
+
+  mutate {
+    convert => {"[event][norm_risk_level]" => "integer"}
+  }	
+
+  kv {
+    whitespace => strict
+    source => "metadata"
+  }
+
+  grok{
+    match => {"message" => "cs%{NUMBER:cs_id}Label=\"Threat_ID\""}
+  } 
+  grok{
+    match => {"message" => "cs%{NUMBER:cs_info}Label=\"Link\""}
+  } 
+
+
+  mutate {
+    replace => {"[destination][hostname]" => "%{dvchost},%{sntdom}"}
+    replace => {"[destination][user][name]" => "%{duser},%{sntdom}"}
+    rename => ["dvc", "[destination][ip]"]
+    rename => ["cs%{cs_id}", "[event][id]"]
+    rename => ["cs%{cs_info}", "[event][more][info]"]
+    rename => ["act", "[event][type]"]
+  }
+
+
+
+
+  if ([duser] =~ /@/) or ([sntdom] =~ /^\s*$/) {
+    mutate {
+      rename => ["duser", "[destination][user][name]"]
+    }
+  } else {
+    mutate {
+      add_field => { "[destination][user][name]" => "%{duser}@%{sntdom}" }
+    }
+  } 
+
+  if ([dvchost] =~ /@/) or ([sntdom] =~ /^\s*$/) {
+    mutate {
+      rename => ["dvchost", "[destination][hostname]"]
+    }
+  } else {
+    mutate {
+      add_field => { "[destination][hostname]" => "%{dvchost}@%{sntdom}" }
+    }
+  }  
+
+  #-- eventUTCTime starts
+  date {
+    # Feb 06 2019, 10:32:49
+    match => [ "rt", "UNIX", "MMM dd yyyy HH:mm:ss" ]
+    timezone => "UTC"
+    target => "@timestamp"
+  }
+
+  #-- description treatment starts here: decide which service type it belongs to using the description field
+  grok {
+    tag_on_failure => ["isCustomService"]
+      match => {
+        "[event][description]" => "(A known virus \((?<malwareName>(\w+\.?)+))"
+      }
+    }
+
+  if "isCustomService" in [tags] {
+    mutate {
+      add_field => {"[observer][type]" => "Custom Service"}
+    }
+
+    if [event][description] =~ /Multiple commands were executed via a script/ {
+      mutate { 
+        add_field => { "[threat][technique]" => "Generic Code Execution Detection" }
+        add_field => { "[threat][tactic]" => "Lateral Movement" }
+      }
+    } else if [event][description] =~ /invoked another application|acted as a network server/ {
+      mutate { add_tag => [ "Going to forensics only"] }
+    } else {
+      #[event][description] =~ /A known virus was detected running|An application has created an executable|An unknown, suspect or compromised application/ {
+      mutate {
+        add_field => { "[threat][technique]" => "Custom External Delivery"}
+        add_field => { "[threat][tactic]" => "External Delivery"}
+      }
+    } 
+  }		
+  else {
+    mutate {
+      add_field => {"[observer][type]" => "Anti Virus" "[event][action]" => "File Download"}
+      rename => ["malwareName", "[threat][name]"]
+      add_tag => [ "empow_classification"]
+    }
+    mutate {
+      add_field => {"[empow][malware_name]" => "%{[threat][name]}"}
+    }
+  }
+
+  #-- description treatment ends here
+  mutate {
+    add_field => {
+      "[observer][vendor]" => "Carbon Black"
+      "[observer][product]" => "Cb Defense" 
+    }
+  }
+
+
+  #-- remove redundant tags	
+  mutate {
+    remove_tag => ["isCustomService"]
+  }
+  #-- cleanup end
+}
+
+
+
+output {  
+  pipeline{
+    send_to => [empow_classifier_output]
+  }
+}

parsers/default_pipeline.conf

@@ -0,0 +1,13 @@
+input{
+  pipeline{
+    address => default_pipeline
+  }
+}
+
+output {  
+  pipeline{
+    send_to => [elastic_output]
+  }
+}
+
+

parsers/default_pipeline.conf~

@@ -0,0 +1,38 @@
+input{
+  pipeline{
+    address => snort_pipeline
+  }
+}
+
+filter{
+  grok{
+    match => {"message" => "%{NUMBER}\>%{SYSLOGTIMESTAMP:tmp_date} snort.*: \[(?<sig_id>%{NUMBER}:%{NUMBER}):%{NUMBER}\] .* %{IP:[source][ip]}(:%{NUMBER:[source][port]})? -> %{IP:[destination][ip]}(:%{NUMBER:[destination][port]})?"}
+    add_field => {"[observer][type]" => "IDS" "[observer][product]" => "snort"}
+
+    add_tag => ["src_ip"]
+    add_tag => ["dst_ip"]
+    add_tag => [ "empow_classification"]
+
+  }
+
+     mutate{
+       add_field => {"[empow][signature]" => "%{sig_id}"}
+     }
+
+   date{
+     match => ["tmp_date", "UNIX", "MMMM dd HH:mm:ss"]
+     target => "@timestamp"
+     remove_field => ["tmp_date"]
+   }
+
+}
+    whitelist_names => ["^source$", "^destination$", "^threat$", "^event$", "^@timestamp$", "^observer$", "^error$"]
+  }
+}
+
+output { 
+  udp{
+    host => "127.0.0.1"
+    port => 1237
+  }
+}

parsers/fortinet/fortinet.conf

@@ -0,0 +1,67 @@
+# Licensed to empow under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. empow licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+input{
+  pipeline{
+    address => fortinet_pipeline
+  }
+}
+
+filter{
+  grok{
+     match => {"message" => "%{NUMBER}\>(?<kv_log>.*)"}
+  }     
+  kv{
+    source => "kv_log"
+  }
+
+  mutate{
+    add_field => {"[observer][type]" => "IDS" "[observer][product]" => "fortinet"}
+    rename => {"srcip" =>  "[source][ip]"}
+    rename => {"srcip" =>  "[source][ip]"}
+    rename => {"dstip" => "[destination][ip]"}
+    replace => {"tmp_date" => "%{date} %{time}"}
+    rename => {"srcport" => "[source][port]"}
+    rename => {"dstport" => "[destination][port]"}
+    rename => {"attack" => "[event][category]"}
+    rename => {"msg" => "[event][description]"}
+    rename => {"attackid" => "[empow][signature]"}
+    add_field => {"[event][id]" => "%{[empow][signature]}"}
+    rename => {"ref" => "[event][more_info]"}
+    rename => {"logid" => "[event][sequence]"}
+    rename => {"direction" => "[network][direction]"}
+
+    add_tag => ["empow_classification"]
+    add_tag => ["src_ip"]
+    add_tag => ["dst_ip"]
+  }
+
+  date{
+     match => ["tmp_date", "UNIX", "yyyy-MM-dd HH:mm:ss"]
+     target => "@timestamp"
+     remove_field => ["tmp_date"]
+  }
+
+}
+
+
+output {  
+  pipeline{
+    send_to => [elastic_output]
+  }
+}
+

parsers/snort/snort.conf

@@ -0,0 +1,55 @@
+# Licensed to empow under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. empow licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+input{
+  pipeline{
+    address => snort_pipeline
+  }
+}
+
+filter{
+  grok{
+    match => {"message" => "%{NUMBER}\>%{SYSLOGTIMESTAMP:tmp_date} snort.*:(.*message repeated %{NUMBER:[event][hits]} times: \[)? \[(?<[event][id]>%{NUMBER}:%{NUMBER})(:%{NUMBER})?\]( \(%{GREEDYDATA:[network][protocol]}\))? %{GREEDYDATA:[event][description]} \[Classification: (?<[event][category]>[^\]]*)\] .* %{IP:[source][ip]}(:%{NUMBER:[source][port]})? -> %{IP:[destination][ip]}(:%{NUMBER:[destination][port]})?"}
+    add_field => {"[observer][type]" => "IDS" "[observer][product]" => "snort"}
+
+    add_tag => ["src_ip"]
+    add_tag => ["dst_ip"]
+    add_tag => [ "empow_classification"]
+
+  }
+
+
+  mutate{
+    add_field => {"[empow][signature]" => "%{[event][id]}"}
+  }
+
+   date{
+     match => ["tmp_date", "UNIX", "MMMM dd HH:mm:ss"]
+     target => "@timestamp"
+     remove_field => ["tmp_date"]
+   }
+
+}
+
+
+output {  
+  pipeline{
+    send_to => [elastic_output]
+  }
+}
+