# Author: Austin Taylor and Justin Henderson # Email: email@austintaylor.io # Last Update: 12/20/2017 # Version 0.3 # Description: Take in nessus reports from vulnWhisperer and pumps into logstash input { file { path => "/opt/VulnWhisperer/data/nessus/**/*.json" mode => "read" start_position => "beginning" file_completed_action => "delete" tags => "nessus" codec => json } file { path => "/opt/VulnWhisperer/data/tenable/*.json" mode => "read" start_position => "beginning" file_completed_action => "delete" tags => "tenable" codec => json } } filter { if "nessus" in [tags] or "tenable" in [tags] { date { match => [ "_timestamp", "UNIX" ] target => "@timestamp" remove_field => ["_timestamp"] } #If using filebeats as your source, you will need to replace the "path" field to "source" # Remove when scan name is included in event (current method is error prone) grok { match => { "path" => "([a-zA-Z0-9_.\-]+)_%{INT}_%{INT:history_id}_%{INT}.json$" } tag_on_failure => [] } mutate { convert => { "cvss" => "float"} convert => { "cvss_base" => "float"} convert => { "cvss_temporal" => "float"} convert => { "cvss3" => "float"} convert => { "cvss3_base" => "float"} convert => { "cvss3_temporal" => "float"} convert => { "id" => "integer"} convert => { "plugin_id" => "integer"} convert => { "risk_number" => "integer"} convert => { "total_times_detected" => "integer"} } if [cvss] == 0 { mutate { add_field => { "cvss_severity" => "info" } } } if [cvss] > 0 and [cvss] < 3 { mutate { add_field => { "cvss_severity" => "low" } } } if [cvss] >= 3 and [cvss] < 6 { mutate { add_field => { "cvss_severity" => "medium" } } } if [cvss] >=6 and [cvss] < 9 { mutate { add_field => { "cvss_severity" => "high" } } } if [cvss] >= 9 { mutate { add_field => { "cvss_severity" => "critical" } } } } } output { if "nessus" in [tags] or "tenable" in [tags]{ stdout { codec => dots } elasticsearch { hosts => [ "elasticsearch:9200" ] index => "logstash-vulnwhisperer-%{+YYYY.MM}" } } }