Cyberdefense/VulnWhisperer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
97d2a2606c77df5688273edec207954c7b0330a2
VulnWhisperer/resources/elk6/pipeline/1000_nessus_process_file.conf
pemontto 97d2a2606c Cleanup logstash configs
2019-04-15 20:10:49 +10:00

112 lines
2.7 KiB
Plaintext
Raw Blame History

# Author: Austin Taylor and Justin Henderson
# Email: email@austintaylor.io
# Last Update: 12/20/2017
# Version 0.3
# Description: Take in nessus reports from vulnWhisperer and pumps into logstash
input {
file {
path => "/opt/VulnWhisperer/data/nessus/**/*.json"
mode => "read"
start_position => "beginning"
file_completed_action => "delete"
tags => "nessus"
codec => json
}
file {
path => "/opt/VulnWhisperer/data/tenable/*.json"
mode => "read"
start_position => "beginning"
file_completed_action => "delete"
tags => "tenable"
codec => json
}
}
filter {
if "nessus" in [tags] or "tenable" in [tags] {
date {
match => [ "_timestamp", "UNIX" ]
target => "@timestamp"
remove_field => ["timestamp"]
}
#If using filebeats as your source, you will need to replace the "path" field to "source"
# Remove when scan name is included in event (current method is error prone)
grok {
match => { "path" => "([a-zA-Z0-9_.\-]+)_%{INT}_%{INT:history_id}_%{INT}.json$" }
tag_on_failure => []
}
translate {
field => "[risk]"
destination => "[risk_number]"
dictionary => {
"None" => 0
"Low" => 1
"Medium" => 2
"High" => 3
"Critical" => 4
}
}
mutate {
add_field => { "risk_score" => "%{cvss}" }
}
mutate {
convert => { "cvss_base" => "float"}
convert => { "cvss_temporal" => "float"}
convert => { "cvss" => "float"}
convert => { "cvss3_base" => "float"}
convert => { "cvss3_temporal" => "float"}
convert => { "cvss3" => "float"}
convert => { "id" => "integer"}
convert => { "plugin_id" => "integer"}
convert => { "risk_number" => "integer"}
convert => { "risk_score" => "float"}
convert => { "total_times_detected" => "integer"}
}
if [risk_score] == 0 {
mutate {
add_field => { "risk_score_name" => "info" }
}
}
if [risk_score] > 0 and [risk_score] < 3 {
mutate {
add_field => { "risk_score_name" => "low" }
}
}
if [risk_score] >= 3 and [risk_score] < 6 {
mutate {
add_field => { "risk_score_name" => "medium" }
}
}
if [risk_score] >=6 and [risk_score] < 9 {
mutate {
add_field => { "risk_score_name" => "high" }
}
}
if [risk_score] >= 9 {
mutate {
add_field => { "risk_score_name" => "critical" }
}
}
}
}
output {
if "nessus" in [tags] or "tenable" in [tags]{
stdout {
codec => dots
}
elasticsearch {
hosts => [ "elasticsearch:9200" ]
index => "logstash-vulnwhisperer-%{+YYYY.MM}"
}
}
}
Reference in New Issue View Git Blame Copy Permalink