search

philhagen / sof-elk

Configuration files for the SOF-ELK VM
GNU General Public License v3.0
1.46k stars 272 forks source link

Create Community ID field for NetFlow #172

Open philhagen opened 4 years ago

philhagen commented 4 years ago

See https://github.com/corelight/community-id-spec

philhagen commented 4 years ago

https://github.com/Cyb3rWard0g/HELK/commit/e81a98a745a4d02acc9d346865aeb312b3ee599d#diff-81497c6343ac648c68637062cf1ba082

philhagen commented 1 year ago

also add for any entry with all necessary component fields

philhagen commented 1 year ago

create ElasticSearch pipeline and apply via the logstash elasticsearch output

https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#add-pipeline-to-indexing-request

https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html

philhagen commented 1 year ago

may be easier to just use a ruby implementation: https://github.com/rocknsm/rock-dashboards/blob/master/ecs-configuration/logstash/conf.d/logstash-900-filter-community_Id_hash-enrich.conf