# Author: Austin Taylor and Justin Henderson # Email: austin@hasecuritysolutions.com # Last Update: 03/04/2018 # Version 0.3 # Description: Take in qualys web scan reports from vulnWhisperer and pumps into logstash input { file { path => "/opt/VulnWhisperer/data/openvas/*.json" codec => json start_position => "beginning" tags => [ "openvas_scan", "openvas" ] mode => "read" start_position => "beginning" file_completed_action => "delete" } } filter { if "openvas_scan" in [tags] { date { match => [ "scan_time", "UNIX" ] target => "@timestamp" remove_field => ["scan_time"] } # TODO - move this mapping into the vulnwhisperer module translate { field => "[risk_number]" destination => "[risk]" dictionary => { "0" => "Info" "1" => "Low" "2" => "Medium" "3" => "High" "4" => "Critical" } } if [risk] == "1" { mutate { add_field => { "risk_number" => 0 }} mutate { replace => { "risk" => "info" }} } if [risk] == "2" { mutate { add_field => { "risk_number" => 1 }} mutate { replace => { "risk" => "low" }} } if [risk] == "3" { mutate { add_field => { "risk_number" => 2 }} mutate { replace => { "risk" => "medium" }} } if [risk] == "4" { mutate { add_field => { "risk_number" => 3 }} mutate { replace => { "risk" => "high" }} } if [risk] == "5" { mutate { add_field => { "risk_number" => 4 }} mutate { replace => { "risk" => "critical" }} } mutate { remove_field => "message" } if [first_time_detected] { date { match => [ "first_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] target => "first_time_detected" } } if [first_time_tested] { date { match => [ "first_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] target => "first_time_tested" } } if [last_time_detected] { date { match => [ "last_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] target => "last_time_detected" } } if [last_time_tested] { date { match => [ "last_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] target => "last_time_tested" } } mutate { convert => { "cvss" => "float"} convert => { "cvss_base" => "float"} convert => { "cvss_temporal" => "float"} convert => { "cvss3" => "float"} convert => { "cvss3_base" => "float"} convert => { "cvss3_temporal" => "float"} convert => { "risk_number" => "integer"} convert => { "total_times_detected" => "integer"} } # Add your critical assets by subnet or by hostname. Comment this field out if you don't want to tag any, but the asset panel will break. if [asset] =~ "^10\.0\.100\." { mutate { add_tag => [ "critical_asset" ] } } } } output { if "openvas" in [tags] { elasticsearch { hosts => [ "elasticsearch:9200" ] index => "logstash-vulnwhisperer-%{+YYYY.MM}" } } }