VulnWhisperer/resources/elk6/pipeline/3000_openvas.conf

# Author: Austin Taylor and Justin Henderson
# Email: austin@hasecuritysolutions.com
# Last Update: 03/04/2018
# Version 0.3
# Description: Take in qualys web scan reports from vulnWhisperer and pumps into logstash

input {
  file {
    path => "/opt/VulnWhisperer/data/openvas/*.json"
    type => json
    codec => json
    start_position => "beginning"
    tags => [ "openvas_scan", "openvas" ]
    mode => "read"
    start_position => "beginning"
    file_completed_action => "delete"

  }
}

filter {
  if "openvas_scan" in [tags] {
    date {
      match => [ "scan_time", "UNIX" ]
      target => "@timestamp"
      remove_field => ["scan_time"]
    }

    grok {
        match => { "path" => "openvas_scan_%{DATA}_%{INT}.json$" }
        tag_on_failure => []
    }

    # TODO - move this mapping into the vulnwhisperer module
    translate {
      field => "[risk_number]"
      destination => "[risk]"
      dictionary => {
        "0" => "Info"
        "1" => "Low"
        "2" => "Medium"
        "3" => "High"
        "4" => "Critical"
      }
    }

    if [risk] == "1" {
      mutate { add_field => { "risk_number" => 0 }}
      mutate { replace => { "risk" => "info" }}
    }
    if [risk] == "2" {
      mutate { add_field => { "risk_number" => 1 }}
      mutate { replace => { "risk" => "low" }}
    }
    if [risk] == "3" {
      mutate { add_field => { "risk_number" => 2 }}
      mutate { replace => { "risk" => "medium" }}
    }
    if [risk] == "4" {
      mutate { add_field => { "risk_number" => 3 }}
      mutate { replace => { "risk" => "high" }}
    }
    if [risk] == "5" {
      mutate { add_field => { "risk_number" => 4 }}
      mutate { replace => { "risk" => "critical" }}
    }

    mutate {
      remove_field => "message"
    }

    if [first_time_detected] {
      date {
        match => [ "first_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ]
        target => "first_time_detected"
      }
    }
    if [first_time_tested] {
      date {
        match => [ "first_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ]
        target => "first_time_tested"
      }
    }
    if [last_time_detected] {
      date {
        match => [ "last_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ]
        target => "last_time_detected"
      }
    }
    if [last_time_tested] {
      date {
        match => [ "last_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ]
        target => "last_time_tested"
      }
    }

    mutate {
      convert => { "cvss" => "float"}
      convert => { "cvss_base" => "float"}
      convert => { "cvss_temporal" => "float"}
      convert => { "cvss3" => "float"}
      convert => { "cvss3_base" => "float"}
      convert => { "cvss3_temporal" => "float"}
      convert => { "risk_number" => "integer"}
      convert => { "total_times_detected" => "integer"}
    }

    # Add your critical assets by subnet or by hostname. Comment this field out if you don't want to tag any, but the asset panel will break.
    if [asset] =~ "^10\.0\.100\." {
      mutate {
        add_tag => [ "critical_asset" ]
      }
    }
  }
}
output {
  if "openvas" in [tags] {
    stdout {
      codec => dots
    }
    elasticsearch {
      hosts => [ "elasticsearch:9200" ]
      index => "logstash-vulnwhisperer-%{+YYYY.MM}"
    }
  }
}