From 6ede3229f9f0d7a1d945d717ccda71ce98b07f92 Mon Sep 17 00:00:00 2001
From: TheTechromancer <thetechromancer@protonmail.com>
Date: Thu, 1 Feb 2024 17:43:02 -0500
Subject: [PATCH 1/3] JSON module: option for SIEM-friendly output

---
 bbot/modules/output/json.py                       | 14 +++++++++++---
 .../test_step_2/module_tests/test_module_json.py  | 15 +++++++++++++++
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/bbot/modules/output/json.py b/bbot/modules/output/json.py
index f13cf7808..a380ac9a1 100644
--- a/bbot/modules/output/json.py
+++ b/bbot/modules/output/json.py
@@ -7,16 +7,24 @@
 class JSON(BaseOutputModule):
     watched_events = ["*"]
     meta = {"description": "Output to Newline-Delimited JSON (NDJSON)"}
-    options = {"output_file": "", "console": False}
-    options_desc = {"output_file": "Output to file", "console": "Output to console"}
+    options = {"output_file": "", "console": False, "siem_friendly": False}
+    options_desc = {
+        "output_file": "Output to file",
+        "console": "Output to console",
+        "siem_friendly": "Output JSON in a SIEM-friendly format for ingestion into Elastic, Splunk, etc.",
+    }
     _preserve_graph = True
 
     async def setup(self):
         self._prep_output_dir("output.ndjson")
+        self.siem_friendly = self.config.get("siem_friendly", False)
         return True
 
     async def handle_event(self, event):
-        event_str = json.dumps(dict(event))
+        event_json = dict(event)
+        if self.siem_friendly:
+            event_json["data"] = {event.type: event_json.pop("data", "")}
+        event_str = json.dumps(event_json)
         if self.file is not None:
             self.file.write(event_str + "\n")
             self.file.flush()
diff --git a/bbot/test/test_step_2/module_tests/test_module_json.py b/bbot/test/test_step_2/module_tests/test_module_json.py
index 6dafb68a5..1e67db085 100644
--- a/bbot/test/test_step_2/module_tests/test_module_json.py
+++ b/bbot/test/test_step_2/module_tests/test_module_json.py
@@ -12,3 +12,18 @@ def check(self, module_test, events):
         e = event_from_json(json.loads(lines[0]))
         assert e.type == "SCAN"
         assert e.data == f"{module_test.scan.name} ({module_test.scan.id})"
+
+
+class TestJSONSIEMFriendly(ModuleTestBase):
+    modules_overrides = ["json"]
+    config_overrides = {"output_modules": {"json": {"siem_friendly": True}}}
+
+    def check(self, module_test, events):
+        txt_file = module_test.scan.home / "output.ndjson"
+        lines = list(module_test.scan.helpers.read_file(txt_file))
+        passed = False
+        for line in lines:
+            e = json.loads(line)
+            if e["data"] == {"DNS_NAME": "blacklanternsecurity.com"}:
+                passed = True
+        assert passed

From 13af94a529e803071b423b34cc3618c7827d89e8 Mon Sep 17 00:00:00 2001
From: TheTechromancer <thetechromancer@protonmail.com>
Date: Thu, 1 Feb 2024 17:50:24 -0500
Subject: [PATCH 2/3] updated docs

---
 docs/scanning/tips_and_tricks.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/docs/scanning/tips_and_tricks.md b/docs/scanning/tips_and_tricks.md
index 0572bedb2..1ed370e52 100644
--- a/docs/scanning/tips_and_tricks.md
+++ b/docs/scanning/tips_and_tricks.md
@@ -53,6 +53,24 @@ You can also pair the web spider with subdomain enumeration:
 bbot -t evilcorp.com -f subdomain-enum -c spider.yml
 ```
 
+### Ingesting BBOT Data Into SIEM (Elastic, Splunk)
+
+If your goal is to feed BBOT data into a SIEM such as Elastic, make sure to enable this option when scanning:
+
+```bash
+bbot -t evilcorp.com -c output_modules.json.siem_friendly=true
+```
+
+This nests the event's `.data` beneath its event type like so:
+```json
+{
+  "type": "DNS_NAME",
+  "data": {
+    "DNS_NAME": "blacklanternsecurity.com"
+  }
+}
+```
+
 ### Custom HTTP Proxy
 
 Web pentesters may appreciate BBOT's ability to quickly populate Burp Suite site maps for all subdomains in a target. If your scan includes gowitness, this will capture the traffic as if you manually visited each website in your browser -- including auxiliary web resources and javascript API calls. To accomplish this, set the `http_proxy` config option like so:

From bdac5d66562ad4a54429d76410e9a65b5b93b210 Mon Sep 17 00:00:00 2001
From: TheTechromancer <thetechromancer@protonmail.com>
Date: Thu, 1 Feb 2024 17:52:28 -0500
Subject: [PATCH 3/3] updated docs

---
 docs/scanning/tips_and_tricks.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/scanning/tips_and_tricks.md b/docs/scanning/tips_and_tricks.md
index 1ed370e52..5e115bcde 100644
--- a/docs/scanning/tips_and_tricks.md
+++ b/docs/scanning/tips_and_tricks.md
@@ -55,7 +55,7 @@ bbot -t evilcorp.com -f subdomain-enum -c spider.yml
 
 ### Ingesting BBOT Data Into SIEM (Elastic, Splunk)
 
-If your goal is to feed BBOT data into a SIEM such as Elastic, make sure to enable this option when scanning:
+If your goal is to feed BBOT data into a SIEM such as Elastic, be sure to enable this option when scanning:
 
 ```bash
 bbot -t evilcorp.com -c output_modules.json.siem_friendly=true