Kibana Dashboards, filebeat and logstash configs

2017-07-10 00:15:28 -04:00
parent ccf774099f
commit 034b204255
7 changed files with 858 additions and 0 deletions
--- a/logstash/1000_nessus_preprocess_nessus.conf
+++ b/logstash/1000_nessus_preprocess_nessus.conf
@ -0,0 +1,114 @@
+# Author: Austin Taylor and Justin Henderson
+# Email: email@austintaylor.io
+# Last Update: 05/22/2017
+# Version 0.2
+# Description: Take in nessus reports from vulnWhisperer and pumps into logstash
+
+filter {
+  if "nessus" in [tags]{
+    mutate {
+      gsub => [
+        "message", "\|\|\|", " ",
+        "message", "\t\t", " ",
+        "message", "    ", " ",
+        "message", "   ", " ",
+        "message", "  ", " "
+      ]
+    }
+
+    csv {
+      columns => ["plugin_id", "cve", "cvss", "risk", "host", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"]
+      separator => ","
+      source => "message"
+    }
+
+    grok {
+      match => { "source" => "(?<file_path>[\\\:a-z A-Z_]*\\)(?<scan_name>[a-z-0-9\.A-Z_\-]*)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}" }
+      tag_on_failure => []
+    }
+    date {
+      match => [ "last_updated" , "UNIX" ]
+      target => "@timestamp"
+      remove_field => ["last_updated"]
+    }
+    if [risk] == "None" {
+      mutate { add_field => { "risk_number" => 0 }}
+    }
+    if [risk] == "Low" {
+      mutate { add_field => { "risk_number" => 1 }}
+    }
+    if [risk] == "Medium" {
+      mutate { add_field => { "risk_number" => 2 }}
+    }
+    if [risk] == "High" {
+      mutate { add_field => { "risk_number" => 3 }}
+    }
+    if [risk] == "Critical" {
+      mutate { add_field => { "risk_number" => 4 }}
+    }
+    if [cve] == "nan" {
+      mutate { remove_field => [ "cve" ] }
+    }
+    if [see_also] == "nan" {
+      mutate { remove_field => [ "see_also" ] }
+    }
+    if [description] == "nan" {
+      mutate { remove_field => [ "description" ] }
+    }
+    if [plugin_output] == "nan" {
+      mutate { remove_field => [ "plugin_output" ] }
+    }
+    if [synopsis] == "nan" {
+      mutate { remove_field => [ "synopsis" ] }
+    }
+
+    mutate {
+      remove_field => [ "message" ]
+      add_field => { "risk_score" => "%{cvss}" }
+    }
+    mutate {
+      convert => { "risk_score" => "float" }
+    }
+
+    # Compensating controls - adjust risk_score
+    # Adobe and Java are not allowed to run in browser unless whitelisted
+    # Therefore, lower score by dividing by 3 (score is subjective to risk)
+    if [risk_score] != 0 {
+      if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 {
+        ruby {
+          code => "event.set('risk_score', event.get('risk_score') / 3)"
+        }
+        mutate {
+          add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." }
+        }
+      }
+    }
+
+    # Add tags for reporting based on assets or criticality
+    # May be a good idea to mirror some of the tags in 8200_postprocess_tagging.conf
+    if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^192\.168\.5\." {
+      mutate {
+        add_tag => [ "critical_asset" ]
+      }
+    }
+    if [host] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [host] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{
+      mutate {
+        add_tag => [ "has_hipaa_data" ]
+      }
+    }
+    if [host] =~ "^192\.168\.[45][0-9][0-9]\." {
+      mutate {
+        add_tag => [ "hipaa_asset" ]
+      }
+    }
+    if [host] =~ "^192\.168\.5\." {
+      mutate {
+        add_tag => [ "pci_asset" ]
+      }
+    if [host] =~ "^10\.0\.50\." {
+      mutate {
+        add_tag => [ "web_servers" ]
+      }
+    }
+  }
+}