# Author: Austin Taylor and Justin Henderson # Email: email@austintaylor.io # Last Update: 12/20/2017 # Version 0.3 # Description: Take in nessus reports from vulnWhisperer and pumps into logstash input { file { path => "/opt/VulnWhisperer/data/nessus/**/*.json" start_position => "beginning" file_completed_action => "delete" tags => "nessus" codec => json } file { path => "/opt/VulnWhisperer/data/tenable/*.json" start_position => "beginning" file_completed_action => "delete" tags => "tenable" codec => json } } filter { if "nessus" in [tags] or "tenable" in [tags] { #If using filebeats as your source, you will need to replace the "path" field to "source" # Remove when scan name is included in event (current method is error prone) grok { match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" } tag_on_failure => [] } # TODO remove when @timestamp is included in event date { match => [ "last_updated", "UNIX" ] target => "@timestamp" remove_field => ["last_updated"] } if [risk] == "None" { mutate { add_field => { "risk_number" => 0 }} } if [risk] == "Low" { mutate { add_field => { "risk_number" => 1 }} } if [risk] == "Medium" { mutate { add_field => { "risk_number" => 2 }} } if [risk] == "High" { mutate { add_field => { "risk_number" => 3 }} } if [risk] == "Critical" { mutate { add_field => { "risk_number" => 4 }} } if ![cve] or [cve] == "nan" { mutate { remove_field => [ "cve" ] } } if ![cvss] or [cvss] == "nan" { mutate { remove_field => [ "cvss" ] } } if ![cvss_base] or [cvss_base] == "nan" { mutate { remove_field => [ "cvss_base" ] } } if ![cvss_temporal] or [cvss_temporal] == "nan" { mutate { remove_field => [ "cvss_temporal" ] } } if ![cvss_temporal_vector] or [cvss_temporal_vector] == "nan" { mutate { remove_field => [ "cvss_temporal_vector" ] } } if ![cvss_vector] or [cvss_vector] == "nan" { mutate { remove_field => [ "cvss_vector" ] } } if ![cvss3_base] or [cvss3_base] == "nan" { mutate { remove_field => [ "cvss3_base" ] } } if ![cvss3_temporal] or [cvss3_temporal] == "nan" { mutate { remove_field => [ "cvss3_temporal" ] } } if ![cvss3_temporal_vector] or [cvss3_temporal_vector] == "nan" { mutate { remove_field => [ "cvss3_temporal_vector" ] } } if ![description] or [description] == "nan" { mutate { remove_field => [ "description" ] } } if ![mac_address] or [mac_address] == "nan" { mutate { remove_field => [ "mac_address" ] } } if ![netbios] or [netbios] == "nan" { mutate { remove_field => [ "netbios" ] } } if ![operating_system] or [operating_system] == "nan" { mutate { remove_field => [ "operating_system" ] } } if ![plugin_output] or [plugin_output] == "nan" { mutate { remove_field => [ "plugin_output" ] } } if ![see_also] or [see_also] == "nan" { mutate { remove_field => [ "see_also" ] } } if ![synopsis] or [synopsis] == "nan" { mutate { remove_field => [ "synopsis" ] } } if ![system_type] or [system_type] == "nan" { mutate { remove_field => [ "system_type" ] } } mutate { remove_field => [ "message" ] add_field => { "risk_score" => "%{cvss}" } } mutate { convert => { "risk_score" => "float" } } if [risk_score] == 0 { mutate { add_field => { "risk_score_name" => "info" } } } if [risk_score] > 0 and [risk_score] < 3 { mutate { add_field => { "risk_score_name" => "low" } } } if [risk_score] >= 3 and [risk_score] < 6 { mutate { add_field => { "risk_score_name" => "medium" } } } if [risk_score] >=6 and [risk_score] < 9 { mutate { add_field => { "risk_score_name" => "high" } } } if [risk_score] >= 9 { mutate { add_field => { "risk_score_name" => "critical" } } } } } output { if "nessus" in [tags] or "tenable" in [tags]{ stdout { codec => dots } elasticsearch { hosts => [ "elasticsearch:9200" ] index => "logstash-vulnwhisperer-%{+YYYY.MM}" } } }