Open up to ingest Velociraptor flows via Elastic.Flows.Upload

philhagen / sof-elk

Configuration files for the SOF-ELK VM

GNU General Public License v3.0

1.47k stars 276 forks source link

Open up to ingest Velociraptor flows via Elastic.Flows.Upload #244

Closed certrik closed 2 years ago

certrik commented 2 years ago

The Elastic API seems to be accessible only internally, if I am correct. If you could prepare a port for Elastic API to be accessible externally, Velociraptor (https://github.com/Velocidex/velociraptor) could be used as data source via Elastic.Flows.Upload (https://github.com/Velocidex/velociraptor/blob/2ebfba0525a8838b5b67418f78d172b071033efb/artifacts/definitions/Elastic/Flows/Upload.yaml) .

philhagen commented 2 years ago

That's correct - the SOF-ELK platform does not support any direct inputs to Elasticsearch. All inputs are through Logstash alone. That's not to say you couldn't reconfigure the Elasticsearch instance/cluster to take direct inputs from other sources, but it would fall outside the intent and scope of SOF-ELK itself.