From e189fa9df8f08b0d8afbeed2c980eef7a60426f9 Mon Sep 17 00:00:00 2001 From: V1D1AN Date: Fri, 27 Jan 2023 18:25:25 +0100 Subject: [PATCH 1/6] Add Zircolite --- 01_deploy.sh | 4 +- README.md | 3 + docker-compose.yml | 60 +++++++++++++++++-- env.sample | 2 + homer/config.yml | 21 +++++-- logstash/config/pipelines.yml | 3 + .../zircolite/100_input_zircolite.conf | 10 ++++ .../zircolite/200_filter_zircolite.conf | 2 + .../zircolite/300_output_zircolite.conf | 10 ++++ 9 files changed, 104 insertions(+), 11 deletions(-) create mode 100644 logstash/pipeline/zircolite/100_input_zircolite.conf create mode 100644 logstash/pipeline/zircolite/200_filter_zircolite.conf create mode 100644 logstash/pipeline/zircolite/300_output_zircolite.conf diff --git a/01_deploy.sh b/01_deploy.sh index 2653eaa..48f2587 100644 --- a/01_deploy.sh +++ b/01_deploy.sh @@ -35,6 +35,7 @@ sed -i "s|organization_name|$organization|g" .env sed -i "s|opencti_account|$admin_account|g" .env sed -i "s|arkime_account|$admin_account|g" .env sed -i "s|n8n_account|$admin_account|g" .env +sed -i "s|zircolite_account|$admin_account|g" .env echo while true; do read -s -p "Password (Must be a password with at least 6 characters): " admin_password @@ -47,6 +48,7 @@ done sed -i "s|opencti_password|$admin_password|g" .env sed -i "s|arkime_password|$admin_password|g" .env sed -i "s|n8n_password|$admin_password|g" .env +sed -i "s|zircolite_password|$admin_password|g" .env echo echo echo "##########################################" @@ -614,7 +616,7 @@ echo "####### STARTING OTHER DOCKER ###########" echo "#########################################" echo echo -docker-compose up -d fleet-server elastalert cyberchef file-upload syslog-ng tcpreplay clamav heartbeat spiderfoot codimd watchtower +docker-compose up -d fleet-server elastalert cyberchef zircolite zircolite-upload file-upload syslog-ng tcpreplay clamav heartbeat spiderfoot codimd watchtower echo echo echo "#########################################" diff --git a/README.md b/README.md index 5cbb13b..500be6f 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,7 @@ Inside the solution: * Auditbeat * Fleet * N8n +* Zircolite * Spiderfoot * Syslog-ng * Elastalert @@ -69,6 +70,7 @@ Inside the solution: - [ ] SSO - [ ] Interact with Lab-DFIR-SOC (https://github.com/StevenDias33/Lab-DFIR-SOC) - [ ] Add Capa +- [ ] Add Zircolite # Related project @@ -93,6 +95,7 @@ https://gchq.github.io/CyberChef/
https://www.clamav.net/
https://www.syslog-ng.com/
https://github.com/bastienwirtz/homer
+https://github.com/wagga40/zircolite
diff --git a/docker-compose.yml b/docker-compose.yml index 79f297d..24776fc 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -323,6 +323,7 @@ services: volumes: - certs:/usr/share/certificates:ro - stoq:/var/log/stoq + - zircolite:/usr/share/logstash/zircolite:rw - ./logstash/config/pipelines.yml:/usr/share/logstash/config/pipelines.yml:ro - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:ro - ./logstash/config/jvm.options:/usr/share/logstash/config/jvm.options:ro @@ -482,7 +483,7 @@ services: - upload:/pcap file-upload: - image: v1d1an/file-upload:1.0 + image: v1d1an/file-upload:1.1 container_name: file-upload hostname: file-upload restart: always @@ -495,9 +496,10 @@ services: volumes: - upload:/var/www/upload/server/php/chroot/files environment: - - SITE_NAME=S1EM + - SITE_NAME=Upload for PCAP - SITE_USERNAME=upload - SITE_PASSWORD=upload + - DESCRIPTION=Upload only PCAP file. labels: - "traefik.enable=true" - "traefik.http.routers.upload.rule=PathPrefix(`/upload`)" @@ -508,8 +510,56 @@ services: - "traefik.http.routers.upload.middlewares=redirect-to-https" - "traefik.http.middlewares.upload-stripprefix.stripprefix.prefixes=/upload" - "traefik.http.routers.upload.middlewares=upload-stripprefix" - ports: - - "8022:22" + networks: + - s1em + + zircolite: + #image: docker.io/wagga40/zircolite:latest + image: v1d1an/zircolite:1.0 + container_name: zircolite + hostname: zircolite + restart: always + user: root + tty: true + logging: + driver: "json-file" + options: + max-size: "10m" + max-file: "3" + volumes: + - zircolite:/case + command: "--ruleset rules/rules_windows_sysmon_full.json --evtx /case/ --outfile /case/detected_events.json --remote 'https://es01:9200' --index 'zircolite' --eslogin '${ZIRCOLITE_USER}' --espass '${ZIRCOLITE_PASSWORD}' --forwardall --remove-events --nolog" + networks: + - s1em + + zircolite-upload: + image: v1d1an/file-upload:1.1 + container_name: zircolite-upload + hostname: zircolite-upload + restart: always + user: root + logging: + driver: "json-file" + options: + max-size: "10m" + max-file: "3" + volumes: + - zircolite:/var/www/upload/server/php/chroot/files + environment: + - SITE_NAME=Upload for Zircolite + - SITE_USERNAME=upload + - SITE_PASSWORD=upload + - DESCRIPTION=Upload only JSON file or EVTX file. + labels: + - "traefik.enable=true" + - "traefik.http.routers.zircolite.rule=PathPrefix(`/zircolite`)" + - "traefik.http.routers.zircolite.entryPoints=secure" + - "traefik.http.routers.zircolite.tls=true" + - "traefik.http.services.zircolite.loadbalancer.server.port=80" + - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" + - "traefik.http.routers.zircolite.middlewares=redirect-to-https" + - "traefik.http.middlewares.zircolite-stripprefix.stripprefix.prefixes=/zircolite" + - "traefik.http.routers.zircolite.middlewares=zircolite-stripprefix" networks: - s1em @@ -1645,3 +1695,5 @@ volumes: external: false n8n_data: external: false + zircolite: + external: false \ No newline at end of file diff --git a/env.sample b/env.sample index 74faaef..93664ed 100644 --- a/env.sample +++ b/env.sample @@ -37,3 +37,5 @@ GENERIC_TIMEZONE=Europe/Berlin FLEET_SERVICETOKEN=fleettoken FLEET_ENROLLTOKEN=fleetenroll ADMINISTRATION_IP=administrationip +ZIRCOLITE_USER=zircolite_account +ZIRCOLITE_PASSWORD=zircolite_password \ No newline at end of file diff --git a/homer/config.yml b/homer/config.yml index 6115876..827d6d3 100644 --- a/homer/config.yml +++ b/homer/config.yml @@ -9,7 +9,7 @@ logo: "https://user-images.githubusercontent.com/18678787/119020235-49428680-b99 header: true footer: '

Created with ❤️ with bulma, vuejs & font awesome // Fork me on

' # set false if you want to hide it. -columns: 5 +columns: 6 # Optional theme customization theme: default colors: @@ -169,14 +169,23 @@ services: tag: "app" url: "https://s1em_hostname/codimd/" target: "_blank" # optional html a tag target attribute - - name: "Upload" - logo: "https://fileproinfo.com/images/pcap_file_extension.png" - tag: "app" - url: "https://s1em_hostname/upload/" - target: "_blank" # optional html a tag target attribute - name: "StartMe" logo: "https://res.cloudinary.com/crunchbase-production/image/upload/c_lpad,h_170,w_170,f_auto,b_white,q_auto:eco,dpr_1/v1477931274/aq1yfkwbl5yslbedhkyj.png" tag: "site" tagstyle: "is-success" url: "https://start.me/p/6r66da/cybersecurity" target: "_blank" # optional html a tag target attribute + + - name: "UPLOAD" + icon: "fas fa-tools" + items: + - name: "PCAP" + logo: "https://fileproinfo.com/images/pcap_file_extension.png" + tag: "app" + url: "https://s1em_hostname/upload/" + target: "_blank" # optional html a tag target attribute + - name: "Zircolite" + logo: "https://fileproinfo.com/images/pcap_file_extension.png" + tag: "app" + url: "https://s1em_hostname/zircolite/" + target: "_blank" # optional html a tag target attribute diff --git a/logstash/config/pipelines.yml b/logstash/config/pipelines.yml index 1404a3e..91c8217 100644 --- a/logstash/config/pipelines.yml +++ b/logstash/config/pipelines.yml @@ -4,3 +4,6 @@ - pipeline.id: stoq path.config: "/usr/share/logstash/pipeline/stoq/*.conf" pipeline.workers: 3 +- pipeline.id: zircolite + path.config: "/usr/share/logstash/pipeline/stoq/*.conf" + pipeline.workers: 3 diff --git a/logstash/pipeline/zircolite/100_input_zircolite.conf b/logstash/pipeline/zircolite/100_input_zircolite.conf new file mode 100644 index 0000000..d84e485 --- /dev/null +++ b/logstash/pipeline/zircolite/100_input_zircolite.conf @@ -0,0 +1,10 @@ +input { + file { + mode => "read" + path => ["/usr/share/logstash/zircolite/*.json"] + codec => "json" + sincedb_path => "/dev/null" + file_completed_action => "delete" + file_chunk_size => "131072" + } +} \ No newline at end of file diff --git a/logstash/pipeline/zircolite/200_filter_zircolite.conf b/logstash/pipeline/zircolite/200_filter_zircolite.conf new file mode 100644 index 0000000..474060e --- /dev/null +++ b/logstash/pipeline/zircolite/200_filter_zircolite.conf @@ -0,0 +1,2 @@ +filter { +} diff --git a/logstash/pipeline/zircolite/300_output_zircolite.conf b/logstash/pipeline/zircolite/300_output_zircolite.conf new file mode 100644 index 0000000..cb88cf5 --- /dev/null +++ b/logstash/pipeline/zircolite/300_output_zircolite.conf @@ -0,0 +1,10 @@ +output { + elasticsearch { + index => "zircolite-%{+YYYY.MM.dd}" + hosts => ["https://es01:9200"] + user => "elastic" + password => "changeme" + cacert => "/usr/share/certificates/ca/ca.crt" + ssl => true + } +} \ No newline at end of file From e0c3a03dd465e184a80b2d05bbca8a987985df05 Mon Sep 17 00:00:00 2001 From: V1D1AN Date: Fri, 27 Jan 2023 20:27:47 +0100 Subject: [PATCH 2/6] Add Index Zircolite --- docker-compose.yml | 2 +- homer/config.yml | 2 +- kibana/index/zircolite.ndjson | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) create mode 100644 kibana/index/zircolite.ndjson diff --git a/docker-compose.yml b/docker-compose.yml index 24776fc..9132d60 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -549,7 +549,7 @@ services: - SITE_NAME=Upload for Zircolite - SITE_USERNAME=upload - SITE_PASSWORD=upload - - DESCRIPTION=Upload only JSON file or EVTX file. + - DESCRIPTION=Upload only EVTX file or JSON file (Use template exportForELK.tmpl). labels: - "traefik.enable=true" - "traefik.http.routers.zircolite.rule=PathPrefix(`/zircolite`)" diff --git a/homer/config.yml b/homer/config.yml index 827d6d3..244d959 100644 --- a/homer/config.yml +++ b/homer/config.yml @@ -9,7 +9,7 @@ logo: "https://user-images.githubusercontent.com/18678787/119020235-49428680-b99 header: true footer: '

Created with ❤️ with bulma, vuejs & font awesome // Fork me on

' # set false if you want to hide it. -columns: 6 +columns: 5 # Optional theme customization theme: default colors: diff --git a/kibana/index/zircolite.ndjson b/kibana/index/zircolite.ndjson new file mode 100644 index 0000000..fdd93d4 --- /dev/null +++ b/kibana/index/zircolite.ndjson @@ -0,0 +1 @@ +{"attributes":{"fieldAttrs":"{}","fields":"[]","runtimeFieldMap":"{}","timeFieldName":"@timestamp","title":"zircolite-*"},"coreMigrationVersion":"7.12.1","id":"zircolite-*","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-05-26T15:52:39.743Z","version":"WzczNDUwNSw0XQ=="} From f42e1df179e97905a0742f670ed27dd9eea79e7b Mon Sep 17 00:00:00 2001 From: V1D1AN Date: Fri, 27 Jan 2023 22:08:18 +0100 Subject: [PATCH 3/6] Add Zircolite monitor Correction index for zircolite --- heartbeat/monitors.d/zircolite.yml | 7 +++++++ kibana/index/zircolite.ndjson | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 heartbeat/monitors.d/zircolite.yml diff --git a/heartbeat/monitors.d/zircolite.yml b/heartbeat/monitors.d/zircolite.yml new file mode 100644 index 0000000..b8db694 --- /dev/null +++ b/heartbeat/monitors.d/zircolite.yml @@ -0,0 +1,7 @@ +- type: tcp + enabled: true + id: zircolite + name: Zircolite upload + hosts: ["zircolite-upload"] + ports: [80] + schedule: '@every 30s' diff --git a/kibana/index/zircolite.ndjson b/kibana/index/zircolite.ndjson index fdd93d4..92b491f 100644 --- a/kibana/index/zircolite.ndjson +++ b/kibana/index/zircolite.ndjson @@ -1 +1,2 @@ -{"attributes":{"fieldAttrs":"{}","fields":"[]","runtimeFieldMap":"{}","timeFieldName":"@timestamp","title":"zircolite-*"},"coreMigrationVersion":"7.12.1","id":"zircolite-*","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-05-26T15:52:39.743Z","version":"WzczNDUwNSw0XQ=="} +{"attributes":{"fieldAttrs":"{}","fields":"[]","runtimeFieldMap":"{}","timeFieldName":"SystemTime","title":"zircolite-*","typeMeta":"{}"},"coreMigrationVersion":"7.17.8","id":"zircolite-*","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2023-01-27T20:54:14.611Z","version":"WzM4ODgsNF0="} +{"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":1,"missingRefCount":0,"missingReferences":[]} \ No newline at end of file From 77d59a692a400ca53044495f06c8e014fc9f9ae7 Mon Sep 17 00:00:00 2001 From: V1D1AN Date: Sat, 28 Jan 2023 13:14:27 +0100 Subject: [PATCH 4/6] Add Zircolite dashboard Correction bug --- 01_deploy.sh | 2 +- README.md | 4 ++-- docker-compose.yml | 2 ++ homer/config.yml | 5 +++++ kibana/dashboard/zircolite.ndjson | 10 ++++++++++ logstash/config/pipelines.yml | 2 +- 6 files changed, 21 insertions(+), 4 deletions(-) create mode 100644 kibana/dashboard/zircolite.ndjson diff --git a/01_deploy.sh b/01_deploy.sh index 48f2587..1256f7d 100644 --- a/01_deploy.sh +++ b/01_deploy.sh @@ -16,7 +16,7 @@ echo "The master password Elastic set in .env:" $password echo "The master password Kibana set in .env:" $kibana_password echo "The Kibana api key is : " $kibana_api_key sed -i "s|kibana_api_key|$kibana_api_key|g" kibana/kibana.yml -sed -i "s|changeme|$password|g" .env cortex/application.conf thehive/application.conf elastalert/elastalert.yaml filebeat/filebeat.yml metricbeat/metricbeat.yml heartbeat/heartbeat.yml metricbeat/modules.d/elasticsearch-xpack.yml metricbeat/modules.d/kibana-xpack.yml kibana/kibana.yml auditbeat/auditbeat.yml logstash/config/logstash.yml logstash/pipeline/beats/300_output_beats.conf logstash/pipeline/stoq/300_output_stoq.conf sigma/dockerfile arkime/scripts/capture.sh arkime/scripts/config.sh arkime/scripts/import.sh arkime/scripts/init-db.sh arkime/scripts/viewer.sh arkime/config.ini cortex/Elasticsearch_IP.json cortex/Elasticsearch_Hash.json +sed -i "s|changeme|$password|g" .env cortex/application.conf thehive/application.conf elastalert/elastalert.yaml filebeat/filebeat.yml metricbeat/metricbeat.yml heartbeat/heartbeat.yml metricbeat/modules.d/elasticsearch-xpack.yml metricbeat/modules.d/kibana-xpack.yml kibana/kibana.yml auditbeat/auditbeat.yml logstash/config/logstash.yml logstash/pipeline/beats/300_output_beats.conf logstash/pipeline/stoq/300_output_stoq.conf logstash/pipeline/zircolite/300_output_zircolite.conf sigma/dockerfile arkime/scripts/capture.sh arkime/scripts/config.sh arkime/scripts/import.sh arkime/scripts/init-db.sh arkime/scripts/viewer.sh arkime/config.ini cortex/Elasticsearch_IP.json cortex/Elasticsearch_Hash.json sed -i "s|kibana_changeme|$kibana_password|g" .env echo echo diff --git a/README.md b/README.md index 500be6f..fc4c99d 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ Inside the solution: * Watchtower * Homer -![S1EM](https://user-images.githubusercontent.com/18678787/201867896-1bdb6c45-6f34-45cb-b68e-e8174d1eda82.png) +![S1EM](https://user-images.githubusercontent.com/18678787/215265829-4538679f-9efe-4ce6-a49b-2d31ec45bc55.png) # Guides - :exclamation:[Installation Guide](https://github.com/V1D1AN/S1EM/wiki/Installation-Guide) @@ -70,7 +70,7 @@ Inside the solution: - [ ] SSO - [ ] Interact with Lab-DFIR-SOC (https://github.com/StevenDias33/Lab-DFIR-SOC) - [ ] Add Capa -- [ ] Add Zircolite +- [x] Add Zircolite # Related project diff --git a/docker-compose.yml b/docker-compose.yml index 9132d60..e7818f7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -400,6 +400,8 @@ services: - NET_ADMIN - SYS_NICE restart: always + depends_on: + - filebeat volumes: - ./rules/suricata:/etc/suricata/rules - ./suricata/suricata.yaml:/etc/suricata/suricata.yaml diff --git a/homer/config.yml b/homer/config.yml index 244d959..d88b429 100644 --- a/homer/config.yml +++ b/homer/config.yml @@ -145,6 +145,11 @@ services: - name: "SIRP" icon: "fas fa-sitemap" items: + - name: "Zircolite" + logo: "https://github.com/wagga40/Zircolite/raw/master/pics/zircolite_400.png" + tag: "app" + url: "https://s1em_hostname/kibana/app/dashboards#/view/832a98e0-9ef0-11ed-bedc-f9813e7df557" + target: "_blank" # optional html a tag target attribute - name: "TheHive" logo: "https://github.com/TheHive-Project/TheHive/raw/main/images/thehive-logo.png" tag: "app" diff --git a/kibana/dashboard/zircolite.ndjson b/kibana/dashboard/zircolite.ndjson new file mode 100644 index 0000000..4f8016d --- /dev/null +++ b/kibana/dashboard/zircolite.ndjson @@ -0,0 +1,10 @@ +{"attributes":{"color":"#8b7550","description":"","name":"Zircolite"},"coreMigrationVersion":"7.17.8","id":"60e29db0-9eef-11ed-bedc-f9813e7df557","references":[],"type":"tag","updated_at":"2023-01-28T09:37:27.822Z","version":"WzEyODMwNjAyLDVd"} +{"attributes":{"fieldAttrs":"{\"title\":{\"count\":4},\"Channel\":{\"count\":6},\"ImagePath\":{\"count\":1},\"IpAddress\":{\"count\":2}}","fields":"[]","runtimeFieldMap":"{}","timeFieldName":"SystemTime","title":"zircolite-*","typeMeta":"{}"},"coreMigrationVersion":"7.17.8","id":"zircolite-*","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2023-01-27T11:45:56.186Z","version":"WzEyNTA5OTUzLDVd"} +{"attributes":{"columns":[],"description":"","grid":{},"hideChart":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"title :*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Zircolite alerts"},"coreMigrationVersion":"7.17.8","id":"ef785840-9eee-11ed-bedc-f9813e7df557","migrationVersion":{"search":"7.9.3"},"references":[{"id":"zircolite-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2023-01-28T09:34:17.543Z","version":"WzEyODI5NzM5LDVd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Zircolite time histogram","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Zircolite time histogram\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"SystemTime\",\"timeRange\":{\"from\":\"now-90d/d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"1d\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{},\"row\":true}}"},"coreMigrationVersion":"7.17.8","id":"63e3cfc0-9eef-11ed-bedc-f9813e7df557","migrationVersion":{"visualization":"7.17.0"},"references":[{"id":"60e29db0-9eef-11ed-bedc-f9813e7df557","name":"tag-ref-60e29db0-9eef-11ed-bedc-f9813e7df557","type":"tag"},{"id":"ef785840-9eee-11ed-bedc-f9813e7df557","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2023-01-28T09:37:32.865Z","version":"WzEyODMwNjM2LDVd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Zircolite Alerts title","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"Zircolite Alerts title\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"title.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"nestedLegend\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"distinctColors\":false,\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"labels\":{\"show\":true,\"last_level\":false,\"values\":true,\"valuesFormat\":\"percent\",\"percentDecimals\":2,\"truncate\":100,\"position\":\"default\"}}}"},"coreMigrationVersion":"7.17.8","id":"0fe0be00-9ef0-11ed-bedc-f9813e7df557","migrationVersion":{"visualization":"7.17.0"},"references":[{"id":"60e29db0-9eef-11ed-bedc-f9813e7df557","name":"tag-ref-60e29db0-9eef-11ed-bedc-f9813e7df557","type":"tag"},{"id":"ef785840-9eee-11ed-bedc-f9813e7df557","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2023-01-28T09:42:21.415Z","version":"WzEyODMxODYyLDVd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Zircolite Original logfile","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"Zircolite Original logfile\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"OriginalLogfile.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"nestedLegend\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"distinctColors\":false,\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"labels\":{\"show\":true,\"last_level\":false,\"values\":true,\"valuesFormat\":\"percent\",\"percentDecimals\":2,\"truncate\":100,\"position\":\"default\"}}}"},"coreMigrationVersion":"7.17.8","id":"4a47a670-9ef1-11ed-bedc-f9813e7df557","migrationVersion":{"visualization":"7.17.0"},"references":[{"id":"60e29db0-9eef-11ed-bedc-f9813e7df557","name":"tag-ref-60e29db0-9eef-11ed-bedc-f9813e7df557","type":"tag"},{"id":"ef785840-9eee-11ed-bedc-f9813e7df557","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2023-01-28T09:51:08.891Z","version":"WzEyODM0MTI3LDVd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Zircolite Computer","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"Zircolite Computer\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"Computer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"nestedLegend\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"distinctColors\":false,\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"labels\":{\"show\":true,\"last_level\":false,\"values\":true,\"valuesFormat\":\"percent\",\"percentDecimals\":2,\"truncate\":100,\"position\":\"default\"}}}"},"coreMigrationVersion":"7.17.8","id":"b3f03670-9eef-11ed-bedc-f9813e7df557","migrationVersion":{"visualization":"7.17.0"},"references":[{"id":"60e29db0-9eef-11ed-bedc-f9813e7df557","name":"tag-ref-60e29db0-9eef-11ed-bedc-f9813e7df557","type":"tag"},{"id":"ef785840-9eee-11ed-bedc-f9813e7df557","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2023-01-28T09:44:46.484Z","version":"WzEyODMyNDMyLDVd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Zircolite Alerts description","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Zircolite Alerts description\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"description.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"showToolbar\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"autoFitRowToContent\":false}}"},"coreMigrationVersion":"7.17.8","id":"dfec36a0-9ef1-11ed-bedc-f9813e7df557","migrationVersion":{"visualization":"7.17.0"},"references":[{"id":"60e29db0-9eef-11ed-bedc-f9813e7df557","name":"tag-ref-60e29db0-9eef-11ed-bedc-f9813e7df557","type":"tag"},{"id":"ef785840-9eee-11ed-bedc-f9813e7df557","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2023-01-28T09:55:19.948Z","version":"WzEyODM1MTc5LDVd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"7.17.8\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":9,\"i\":\"90b22401-6caa-405b-b619-24ed8e9053a5\"},\"panelIndex\":\"90b22401-6caa-405b-b619-24ed8e9053a5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_90b22401-6caa-405b-b619-24ed8e9053a5\"},{\"version\":\"7.17.8\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":9,\"w\":16,\"h\":11,\"i\":\"5c630a4e-e286-4606-af32-a5bf65ad4bcd\"},\"panelIndex\":\"5c630a4e-e286-4606-af32-a5bf65ad4bcd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5c630a4e-e286-4606-af32-a5bf65ad4bcd\"},{\"version\":\"7.17.8\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":9,\"w\":17,\"h\":11,\"i\":\"7c9e9095-44cb-48bd-8539-64f320c401c3\"},\"panelIndex\":\"7c9e9095-44cb-48bd-8539-64f320c401c3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7c9e9095-44cb-48bd-8539-64f320c401c3\"},{\"version\":\"7.17.8\",\"type\":\"visualization\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":11,\"i\":\"119af4ac-c634-4bc2-8670-aeb87a40212e\"},\"panelIndex\":\"119af4ac-c634-4bc2-8670-aeb87a40212e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_119af4ac-c634-4bc2-8670-aeb87a40212e\"},{\"version\":\"7.17.8\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":11,\"i\":\"bc59f776-7c91-4046-a26f-e34916d938eb\"},\"panelIndex\":\"bc59f776-7c91-4046-a26f-e34916d938eb\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_bc59f776-7c91-4046-a26f-e34916d938eb\"}]","timeRestore":false,"title":"Zircolite","version":1},"coreMigrationVersion":"7.17.8","id":"832a98e0-9ef0-11ed-bedc-f9813e7df557","migrationVersion":{"dashboard":"7.17.3"},"references":[{"id":"63e3cfc0-9eef-11ed-bedc-f9813e7df557","name":"90b22401-6caa-405b-b619-24ed8e9053a5:panel_90b22401-6caa-405b-b619-24ed8e9053a5","type":"visualization"},{"id":"0fe0be00-9ef0-11ed-bedc-f9813e7df557","name":"5c630a4e-e286-4606-af32-a5bf65ad4bcd:panel_5c630a4e-e286-4606-af32-a5bf65ad4bcd","type":"visualization"},{"id":"4a47a670-9ef1-11ed-bedc-f9813e7df557","name":"7c9e9095-44cb-48bd-8539-64f320c401c3:panel_7c9e9095-44cb-48bd-8539-64f320c401c3","type":"visualization"},{"id":"b3f03670-9eef-11ed-bedc-f9813e7df557","name":"119af4ac-c634-4bc2-8670-aeb87a40212e:panel_119af4ac-c634-4bc2-8670-aeb87a40212e","type":"visualization"},{"id":"dfec36a0-9ef1-11ed-bedc-f9813e7df557","name":"bc59f776-7c91-4046-a26f-e34916d938eb:panel_bc59f776-7c91-4046-a26f-e34916d938eb","type":"visualization"},{"id":"60e29db0-9eef-11ed-bedc-f9813e7df557","name":"tag-60e29db0-9eef-11ed-bedc-f9813e7df557","type":"tag"}],"type":"dashboard","updated_at":"2023-01-28T09:55:34.055Z","version":"WzEyODM1MjU0LDVd"} +{"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":9,"missingRefCount":0,"missingReferences":[]} \ No newline at end of file diff --git a/logstash/config/pipelines.yml b/logstash/config/pipelines.yml index 91c8217..7f04a1f 100644 --- a/logstash/config/pipelines.yml +++ b/logstash/config/pipelines.yml @@ -5,5 +5,5 @@ path.config: "/usr/share/logstash/pipeline/stoq/*.conf" pipeline.workers: 3 - pipeline.id: zircolite - path.config: "/usr/share/logstash/pipeline/stoq/*.conf" + path.config: "/usr/share/logstash/pipeline/zircolite/*.conf" pipeline.workers: 3 From 55f0a4e9943aacfc8448912aca393c23b18f7d43 Mon Sep 17 00:00:00 2001 From: V1D1AN Date: Sat, 28 Jan 2023 13:44:19 +0100 Subject: [PATCH 5/6] Correction bug for the config.yml --- homer/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/homer/config.yml b/homer/config.yml index d88b429..9f2a6b8 100644 --- a/homer/config.yml +++ b/homer/config.yml @@ -145,7 +145,7 @@ services: - name: "SIRP" icon: "fas fa-sitemap" items: - - name: "Zircolite" + - name: "Zircolite" logo: "https://github.com/wagga40/Zircolite/raw/master/pics/zircolite_400.png" tag: "app" url: "https://s1em_hostname/kibana/app/dashboards#/view/832a98e0-9ef0-11ed-bedc-f9813e7df557" From a8225257205ad8bcfa070b80e2c092ef4f18ec70 Mon Sep 17 00:00:00 2001 From: V1D1AN Date: Sat, 28 Jan 2023 13:51:03 +0100 Subject: [PATCH 6/6] Change att@ck navigator url --- homer/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/homer/config.yml b/homer/config.yml index 9f2a6b8..69eac9f 100644 --- a/homer/config.yml +++ b/homer/config.yml @@ -138,7 +138,7 @@ services: logo: "http://attack.mitre.org/theme/images/ATT&CK_red.png" tag: "site" tagstyle: "is-success" - url: "https://ela.st/tj-mitre-an" + url: "https://ela.st/detection-rules-navigator" target: "_blank" # optional html a tag target attribute