-
Notifications
You must be signed in to change notification settings - Fork 5
/
ImportTo-ElasticSearchBulk.ps1
102 lines (91 loc) · 4.36 KB
/
ImportTo-ElasticSearchBulk.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
<#
.Synopsis
Parse Nessus XML report and import to ElasticSearch using _bulk API
.DESCRIPTION
Parse Nessus XML report and convert to expected json format (x-ndjson)
for ElasticSearch _bulk API
.EXAMPLE
.\ImportTo-ElasticSearchBulk.ps1 -InputXML "C:\folder\file.nessus" -Server es.contoso.com -Index "nessus" -type "vuln"
#>
[CmdletBinding()]
[Alias()]
Param
(
# XML file input
[Parameter(Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=0)]
$InputXML,
# ElasticSearch index mapping
[Parameter(Mandatory=$false,
ValueFromPipelineByPropertyName=$true,
Position=1)]
$Index,
# ElasticSearch type mapping
[Parameter(Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=2)]
$Type,
# ElasticSearch server
[Parameter(Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=3)]
$Server
)
Begin{
$ErrorActionPreference = 'Stop'
[xml]$nessus = [System.IO.File]::OpenText("$InputXML").readtoend()
}
Process{
$hash = foreach ($n in $nessus.NessusClientData_v2.Report.ReportHost){
foreach($r in $n.ReportItem){
if($r.pluginID -match "19506|20094"){
# ignore useless plugins
}
$obj=[PSCustomObject]@{
"ip" = ($n.HostProperties.tag | ? {$_.name -eq "host-ip"})."#text"
"fqdn" = ($n.HostProperties.tag | ? {$_.name -eq "host-fqdn"})."#text"
"svc" = ($r.svc_name)
"protocol" = $r.severity
"pluginID" = $r.pluginID
"pluginName" = $r.pluginName
"pluginFamily" = $r.pluginFamily
#"description" = $r.description
"plugin_publication_date" = $r.plugin_publication_date
"plugn_type" = $r.plugin_type
"risk_factor" = $r.risk_factor
"solution" = $r.solution
"synopsis" = $r.synopsis
"plugin_output" = $r.plugin_output
"cvss_base_score"= $r.cvss_base_score
"cvss_temporal_score" = $r.cvss_temporal_score
"cvss_vector" = $r.cvss_vector
"operating-system-unsupported" = ($n.HostProperties.tag | ? {$_.name -eq "operating-system-unsupported"})."#text"
"system-type" = ($n.HostProperties.tag | ? {$_.name -eq "system-type"})."#text"
"os" = ($n.HostProperties.tag | ? {$_.name -eq "os"})."#text"
"operating-system" = ($n.HostProperties.tag | ? {$_.name -eq "operating-system"})."#text"
"Credentialed_Scan" = ($n.HostProperties.tag | ? {$_.name -eq "Credentialed_Scan"})."#text"
"policy-used" = ($n.HostProperties.tag | ? {$_.name -eq "policy-used"})."#text"
"exploit_available" = $r.exploit_available
"in_the_news" = $r.in_the_news
"edb-id" = $r."edb-id"
"see_also" = $r.see_also
"unsupported_by_vendor" = $r.unsupported_by_vendor
#"msft" = $(if(($r.msft).count -gt 1) {([string]$r.msft.GetEnumerator() -replace " ","`n")})
#"xref" = $(if(($r.msft).count -gt 1) {([string]$r.xref.GetEnumerator() -replace " ","`n")})
#"bid" = $(if(($r.msft).count -gt 1) {([string]$r.bid.GetEnumerator() -replace " ","`n")})
#"mskb" = $(if(($r.msft).count -gt 1) {([string]$r.mskb.GetEnumerator() -replace " ","`n")})
#"cve" = $(if(($r.msft).count -gt 1) {([string]$r.cve.GetEnumerator() -replace " ","`n")})
"time" = $(Get-Date -f "yyyy/MM/dd hh:mm:ss" $((((($n.HostProperties.tag | ? {$_.name -eq "HOST_END"})."#text") | sls "^(Mon|Tue|Wed|Thu|Fri|Sat|Sun) (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ([0-9]{2}) (.+) ([0-9]{4})").Matches.Groups[2,3,5,4].Value)-join " "))
} | ConvertTo-Json -Compress
"{`"index`":{`"_index`":`"$index`",`"_type`":`"$type`"}}`r`n$obj`r`n"
}
}
}
End{
try{
Invoke-Webrequest -Uri "http://$($server):9200/$index/$type/_bulk" -Method POST -ContentType "application/json " -body $hash
} catch {
$_.Exception.Message
}
}