logstash-to-splunk.conf

#
# logstash-to-splunk.conf
# receives logs from Beats, parses them into the Elastic Common Schema if needed, then sends the logs to Splunk
# last updated: 2022-02-09
#
# splunk internal and basic default fields:
# _raw, _time, _indextime, _cd, host, index, linecount, punct, source, sourcetype, splunk_server, timestamp, date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone, tag, eventtype, earliest, latest
#
# https://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Aboutdefaultfields
# https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399447
# https://www.elastic.co/guide/en/ecs/current/index.html
# https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/UsetheHTTPEventCollector
# https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/legacy/grok-patterns
# https://docs.splunk.com/Documentation/Splunk/8.2.2/Security/ConfigureSplunkforwardingtousesignedcertificates
#
# Test Winlogbeat Without Installing
# .\winlogbeat.exe -c .\winlogbeat.yml -e
#
# Logstash Commands
# sudo /usr/share/logstash/bin/logstash --config.test_and_exit -f /etc/logstash/conf.d/
# sudo /usr/share/logstash/bin/logstash --config.reload.automatic -f /etc/logstash/conf.d/*.conf
#
# Splunk Query for Defender Logs
# sourcetype="winlogbeat" event.module="defender" | fillnull value=- | table _time @timestamp event.module rule.category rule.name event.action user.domain user.name process.command_line process.name file.path file.name process.executable process.pid process.entity_id rule.reference process.command_line index sourcetype | sort -@timestamp
#

input {
	beats {
		port => 5044
	}
}

filter {
	# initial cleanup
	mutate {
		remove_field => "index"
		remove_field => "message"
		remove_field => "tags"
		remove_field => "priority"
		remove_field => "@version"
		remove_field => "facility"
		remove_field => "facility_label"
		remove_field => "severity"
		remove_field => "severity_label"
		remove_field => "syslog_pri"
	}
	#\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
	#
	# WINLOGBEAT
	#
	#///////////////////////////////////////////////////////////////////////////////////
	#
	#
	#================================================
	# Security Event Logs (enabled by default in winlogbeat.yml)
	#================================================
	#
	#
	#### Security Event Log data is properly formatted if sent via Winlogbeat
	#
	#
	#================================================
	# Sysmon (requires Sysmon from Windows SysInternals and a customized configuration file; enabled by default in winlogbeat.yml)
	#================================================
	#
	#
	#### Sysmon data is properly formatted if sent via Winlogbeat
	#
	#
	#================================================
	# Windows Defender (requires Group or Local Policy modification and mod to winlogbeat.yml)
	# GPO (NOT FOR PRODUCTION): Group Policy Management Editor --> right click domain, new GPO --> right click new GPO, edit --> Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy --> Double-click "Audit object access" --> check "Define these policy setting" and BOTH "Success" and "Failure" options --> click Apply then OK
	# winlogbeat.yml: under "winlogbeat.event_logs", add "- name: Microsoft-Windows-Windows Defender/Operational"
	#================================================
	#
	#
	if [event][provider] == "Microsoft-Windows-Windows Defender" {
		mutate {
			add_field => { "[event][module]" => "defender" }
			rename => { "[winlog][event_data][Threat Name]" => "[rule][name]" }
			rename => { "[winlog][event_data][Category Name]" => "[rule][category]" }
			lowercase => [ "[rule][category]" ]
			rename => { "[winlog][event_data][Action Name]" => "[event][action]" }
			lowercase => [ "[event][action]" ]
			rename => { "[winlog][event_data][Threat ID]" => "[rule][id]" }
			rename => { "[winlog][event_data][FWLink]" => "[rule][reference]" }
			rename => { "[winlog][event_data][Product Name]" => "[observer][product]" }
			rename => { "[winlog][event_data][Process Name]" => "[process][executable]" }
			rename => { "[winlog][process][pid]" => "[process][pid]" }
			rename => { "[winlog][provider_guid]" => "[process][entity_id]" }
			# rename => { "[winlog][event_data][Additional Actions String]" => "[event][reason]" } # can be very misleading if an event is not quarantined but this field still says "no further actions required"
		}
		if "CmdLine:_" in [winlog][event_data][Path] {
			mutate {
				rename => { "[winlog][event_data][Path]" => "[process][command_line]" }
				gsub => [ "[process][command_line]", "CmdLine:_", ""]
			}
		} else if "file:_" in [winlog][event_data][Path] {
			mutate {
				rename => { "[winlog][event_data][Path]" => "[file][path]" }
				gsub => [ "[file][path]", "file:_", ""]
			}
		}
		# create file.name field
		if [file][path] {
			if ![file][name] {
				grok {
					match => { "[file][path]" => "%{GREEDYDATA}\\%{GREEDYDATA:[file][name]}" }
				}
			}
		}
		# user fields
		if [winlog][event_data][Detection User] {
			grok {
				match => { "[winlog][event_data][Detection User]" => "%{GREEDYDATA:[user][domain]}\\%{GREEDYDATA:[user][name]}" }
			}
		}
		# process.name if process.executable exists
		if [process][executable] {
			if ![process][name] {
				grok {
					match => { "[process][executable]" => "%{GREEDYDATA}\\%{GREEDYDATA:[process][name]}" }
				}
			}
		}
	}
#	} else {
#		drop {}
#	}
}

output {
	stdout {  }
	http {
		# must POST data as JSON
		content_type => "application/json"
		http_method => "post"
		# send to the endpoint "/services/collector/raw" on port 8088
		url => "http://YOUR-SPLUNK-SERVER:8088/services/collector/raw"
		# the token can be found in Splunk at Settings --> Data inputs --> HTTP Event Collector
		headers => ["Authorization", "Splunk YOUR-TOKEN-GOES-HERE"]
	}
}