forked from philhagen/sof-elk
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path6502-kape_filefolderaccess.conf
102 lines (100 loc) · 3.41 KB
/
6502-kape_filefolderaccess.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# SOF-ELK® Configuration File
# Author: Phil Hagen
# Email: phil@lewestech.com
#
# (C)2019 Lewes Technology Consulting, LLC
#
# This conf file accepts logs from the KAPE forensic tool
# this file is currently disabled until the PECmd is updated to the new JSON output format
filter {
# if [type] == "kape_filefolderaccess" and "json" not in [tags] {
# # keep and handled: SourceCreated, SourceModified, SourceAccessed, TargetCreated, TargetModified, TargetAccessed, SourceFile, FileSize, RelativePath, WorkingDirectory, DriveType, VolumeSerialNum, FileAttributes, HeaderFlags
#
# mutate {
# # create two timestamp fields with the MACBs in subfields
# rename => {
# "[raw][SourceModified]" => "[Source][LastModified]"
# "[raw][SourceAccessed]" => "[Source][LastAccess]"
# "[raw][SourceCreated]" => "[Source][Created]"
#
# "[raw][Header][TargetModificationDate]" => "[Target][LastModified]"
# "[raw][Header][TargetLastAccessedDate]" => "[Target][LastAccess]"
# "[raw][Header][TargetCreationDate]" => "[Target][Created]"
# }
# }
#
# # strip timestamps to just their integers
# mutate {
# gsub => [ "[Source][LastModified]", "\/Date\((\d+)\)\/", "\1" ]
# gsub => [ "[Source][LastAccess]", "\/Date\((\d+)\)\/", "\1" ]
# gsub => [ "[Source][Created]", "\/Date\((\d+)\)\/", "\1" ]
#
# gsub => [ "[Target][LastModified]", "\/Date\((\d+)\)\/", "\1" ]
# gsub => [ "[Target][LastAccess]", "\/Date\((\d+)\)\/", "\1" ]
# gsub => [ "[Target][Created]", "\/Date\((\d+)\)\/", "\1" ]
# }
#
# # convert all Source timestamps to date/time types
# date {
# match => [ "[Source][LastModified]", "UNIX_MS" ]
# target => "[Source][LastModified]"
# }
# date {
# match => [ "[Source][LastAccess]", "UNIX_MS" ]
# target => "[Source][LastAccess]"
# }
# date {
# match => [ "[Source][Created]", "UNIX_MS" ]
# target => "[Source][Created]"
# }
#
# # convert all Target timestamps to date/time types
# date {
# match => [ "[Target][LastModified]", "UNIX_MS" ]
# target => "[Target][LastModified]"
# }
# date {
# match => [ "[Target][LastAccess]", "UNIX_MS" ]
# target => "[Target][LastAccess]"
# }
# date {
# match => [ "[Target][Created]", "UNIX_MS" ]
# target => "[Target][Created]"
# }
#
# # convert FileAttributes to true/false array
# mutate {
# rename => {
# "[raw][HeaderInfo][FileAttributes]" => "FileAttributes"
# }
# }
# ruby {
# path => "/usr/local/sof-elk/supporting-scripts/ntfs_flags_to_array.rb"
# script_params => { "source_field" => "FileAttributes" }
# }
#
# # convert DataFlags to true/false array
# mutate {
# rename => {
# "[raw][HeaderInfo][DataFlags]" => "DataFlags"
# }
# }
# ruby {
# path => "/usr/local/sof-elk/supporting-scripts/data_flags_to_array.rb"
# script_params => { "source_field" => DataFlags}
# }
#
# # clean up by promoting needed fields to keep and removing [raw] placeholder
# mutate {
# rename => {
# "[raw][SourceFile]" => "SourceFile"
# "[raw][Header][FileSize]" => "FileSize"
# "[raw][RelativePath]" => "RelativePath"
# "[raw][WorkingDirectory]" => "WorkingDirectory"
# "[raw][VolumeInfo][DriveType]" => "DriveType"
# "[raw][VolumeInfo][VolumeSerialNum]" => "VolumeSerialNum"
# }
# remove_field => [ "raw" ]
# }
# }
}