# Author: Austin Taylor and Justin Henderson
# Email: austin@hasecuritysolutions.com
# Last Update: 12/30/2017
# Version 0.3
# Description: Take in qualys web scan reports from vulnWhisperer and pumps into logstash

input {
  file {
    path => [ "/opt/VulnWhisperer/data/qualys/*.json" , "/opt/VulnWhisperer/data/qualys_web/*.json", "/opt/VulnWhisperer/data/qualys_vuln/*.json"] 
    type => json
    codec => json
    start_position => "beginning"
    tags => [ "qualys" ]
    mode => "read"
    start_position => "beginning"
    file_completed_action => "delete"
  }
}

filter {
  if "qualys" in [tags] {
    date {
      match => [ "_timestamp", "UNIX" ]
      target => "@timestamp"
      remove_field => ["_timestamp"]
    }

    grok {
      match => { "path" => [ "(?<tags>qualys_vuln)_scan_%{DATA}_%{INT}.json$", "(?<tags>qualys_web)_%{INT:app_id}_%{INT}.json$" ] }
      tag_on_failure => []
    }

    if "qualys_web" in [tags] {
      mutate {
        add_field => { "asset" => "%{web_application_name}" }
      }
    }

    mutate {
      convert => { "cvss" => "float"}
      convert => { "cvss_base" => "float"}
      convert => { "cvss_temporal" => "float"}
      convert => { "cvss3" => "float"}
      convert => { "cvss3_base" => "float"}
      convert => { "cvss3_temporal" => "float"}
      convert => { "risk_number" => "integer"}
      convert => { "total_times_detected" => "integer"}
    }

    if [first_time_detected] {
      date {
        match => [ "first_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ]
        target => "first_time_detected"
      }
    }
    if [first_time_tested] {
      date {
        match => [ "first_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ]
        target => "first_time_tested"
      }
    }
    if [last_time_detected] {
      date {
        match => [ "last_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ]
        target => "last_time_detected"
      }
    }
    if [last_time_tested] {
      date {
        match => [ "last_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ]
        target => "last_time_tested"
      }
    }
    # if [asset] =~ "\.yourdomain\.(com|net)$" {
    #   mutate {
    #     add_tag => [ "critical_asset" ]
    #   }
    # }
  }
}
output {
  if "qualys" in [tags] {
    stdout {
      codec => dots
    }
    elasticsearch {
      hosts => [ "elasticsearch:9200" ]
      index => "logstash-vulnwhisperer-%{+YYYY.MM}"
    }
  }
}