From 000d15a53c60bf923b826602fcb93f3de7ec722c Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 29 Mar 2024 13:56:01 -0400 Subject: [PATCH 1/7] Kismet integration: TODO Elasticsearch mappings Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticfleet/defaults.yaml | 5 + .../files/integrations-optional/kismet.json | 36 ++++ salt/elasticfleet/soc_elasticfleet.yaml | 26 +++ salt/elasticsearch/defaults.yaml | 43 +++++ salt/elasticsearch/files/ingest/kismet.ad_hoc | 10 ++ salt/elasticsearch/files/ingest/kismet.ap | 50 ++++++ .../elasticsearch/files/ingest/kismet.bridged | 16 ++ salt/elasticsearch/files/ingest/kismet.client | 29 ++++ salt/elasticsearch/files/ingest/kismet.common | 158 ++++++++++++++++++ salt/elasticsearch/files/ingest/kismet.device | 9 + salt/elasticsearch/files/ingest/kismet.seenby | 52 ++++++ salt/elasticsearch/files/ingest/kismet.wds | 10 ++ salt/elasticsearch/files/ingest/kismet.wds_ap | 22 +++ salt/elasticsearch/soc_elasticsearch.yaml | 1 + .../templates/component/ecs/kismet.json | 16 ++ 15 files changed, 483 insertions(+) create mode 100644 salt/elasticfleet/files/integrations-optional/kismet.json create mode 100644 salt/elasticsearch/files/ingest/kismet.ad_hoc create mode 100644 salt/elasticsearch/files/ingest/kismet.ap create mode 100644 salt/elasticsearch/files/ingest/kismet.bridged create mode 100644 salt/elasticsearch/files/ingest/kismet.client create mode 100644 salt/elasticsearch/files/ingest/kismet.common create mode 100644 salt/elasticsearch/files/ingest/kismet.device create mode 100644 salt/elasticsearch/files/ingest/kismet.seenby create mode 100644 salt/elasticsearch/files/ingest/kismet.wds create mode 100644 salt/elasticsearch/files/ingest/kismet.wds_ap create mode 100644 salt/elasticsearch/templates/component/ecs/kismet.json diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 7b2d9d6a3c..2af7e75327 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -118,3 +118,8 @@ elasticfleet: base_url: https://api.platform.sublimesecurity.com poll_interval: 5m limit: 100 + kismet: + base_url: http://localhost:2501 + poll_interval: 1m + api_key: + enabled_nodes: [] \ No newline at end of file diff --git a/salt/elasticfleet/files/integrations-optional/kismet.json b/salt/elasticfleet/files/integrations-optional/kismet.json new file mode 100644 index 0000000000..9a333f31cc --- /dev/null +++ b/salt/elasticfleet/files/integrations-optional/kismet.json @@ -0,0 +1,36 @@ +{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} +{% raw %} +{ + "package": { + "name": "httpjson", + "version": "" + }, + "name": "kismet-logs", + "namespace": "so", + "description": "Kismet Logs", + "policy_id": "FleetServer_{% endraw %}{{ NAME }}{% raw %}", + "inputs": { + "generic-httpjson": { + "enabled": true, + "streams": { + "httpjson.generic": { + "enabled": true, + "vars": { + "data_stream.dataset": "kismet", + "request_url": "{% endraw %}{{ ELASTICFLEETMERGED.optional_integrations.kismet.base_url }}{% raw %}/devices/last-time/-600/devices.tjson", + "request_interval": "{% endraw %}{{ ELASTICFLEETMERGED.optional_integrations.kismet.poll_interval }}{% raw %}", + "request_method": "GET", + "request_transforms": "- set:\r\n target: header.Cookie\r\n value: 'KISMET={% endraw %}{{ ELASTICFLEETMERGED.optional_integrations.kismet.api_key }}{% raw %}'", + "request_redirect_headers_ban_list": [], + "oauth_scopes": [], + "processors": "", + "tags": [], + "pipeline": "kismet.common" + } + } + } + } + }, + "force": true +} +{% endraw %} \ No newline at end of file diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 9a0cd0a912..206febcd74 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -79,3 +79,29 @@ elasticfleet: helpLink: elastic-fleet.html advanced: True forcedType: int + kismet: + base_url: + description: Base URL for Kismet. + global: True + helpLink: elastic-fleet.html + advanced: True + forcedType: string + poll_interval: + description: Poll interval for wireless device data from Kismet. Integration is currently configured to report devices seen as active by any Kismet sensor within the last 600 seconds of polling. + global: True + helpLink: elastic-fleet.html + advanced: True + forcedType: string + api_key: + description: API key for Kismet. + global: True + helpLink: elastic-fleet.html + advanced: True + forcedType: string + sensitive: True + enabled_nodes: + description: Fleet nodes with the Kismet integration enabled. Enter one per line. + global: True + helpLink: elastic-fleet.html + advanced: True + forcedType: "[]string" diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index c70b0419a3..048dd0c7fe 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -10491,6 +10491,49 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-kismet: + index_sorting: false + index_template: + composed_of: + - kismet-mappings + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-kismet-so* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-kismet-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logstash: index_sorting: false index_template: diff --git a/salt/elasticsearch/files/ingest/kismet.ad_hoc b/salt/elasticsearch/files/ingest/kismet.ad_hoc new file mode 100644 index 0000000000..8cbc9cd2bb --- /dev/null +++ b/salt/elasticsearch/files/ingest/kismet.ad_hoc @@ -0,0 +1,10 @@ +{ + "processors": [ + { + "rename": { + "field": "message2.kismet_device_base_macaddr", + "target_field": "wireless.bssid" + } + } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/kismet.ap b/salt/elasticsearch/files/ingest/kismet.ap new file mode 100644 index 0000000000..1b8cbb80e5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/kismet.ap @@ -0,0 +1,50 @@ +{ + "processors": [ + { + "rename": { + "field": "message2.dot11_device.dot11_device_last_beaconed_ssid_record.dot11_advertisedssid_cloaked", + "target_field": "wireless.ssid_cloaked", + "if": "ctx?.message2?.dot11_device?.dot11_device_last_beaconed_ssid_record?.dot11_advertisedssid_cloaked != null" + } + }, + { + "rename": { + "field": "message2.dot11_device.dot11_device_last_beaconed_ssid_record.dot11_advertisedssid_ssid", + "target_field": "wireless.ssid", + "if": "ctx?.message2?.dot11_device?.dot11_device_last_beaconed_ssid_record?.dot11_advertisedssid_ssid != null" + } + }, + { + "set": { + "field": "wireless.ssid", + "value": "Hidden", + "if": "ctx?.wireless?.ssid_cloaked != null && ctx?.wireless?.ssid_cloaked == 1" + } + }, + { + "rename": { + "field": "message2.dot11_device.dot11_device_last_beaconed_ssid_record.dot11_advertisedssid_dot11e_channel_utilization_perc", + "target_field": "wireless.channel_utilization", + "if": "ctx?.message2?.dot11_device?.dot11_device_last_beaconed_ssid_record?.dot11_advertisedssid_dot11e_channel_utilization_perc != null" + } + }, + { + "rename": { + "field": "message2.dot11_device.dot11_device_last_bssid", + "target_field": "wireless.bssid" + } + }, + { + "foreach": { + "field": "message2.dot11_device.dot11_device_associated_client_map", + "processor": { + "append": { + "field": "wireless.associated_clients", + "value": "{{_ingest._key}}" + } + }, + "if": "ctx?.message2?.dot11_device?.dot11_device_associated_client_map != null" + } + } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/kismet.bridged b/salt/elasticsearch/files/ingest/kismet.bridged new file mode 100644 index 0000000000..5eee3b78cf --- /dev/null +++ b/salt/elasticsearch/files/ingest/kismet.bridged @@ -0,0 +1,16 @@ +{ + "processors": [ + { + "rename": { + "field": "message2.kismet_device_base_macaddr", + "target_field": "client.mac" + } + }, + { + "rename": { + "field": "message2.dot11_device.dot11_device_last_bssid", + "target_field": "wireless.bssid" + } + } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/kismet.client b/salt/elasticsearch/files/ingest/kismet.client new file mode 100644 index 0000000000..8b3d3069b6 --- /dev/null +++ b/salt/elasticsearch/files/ingest/kismet.client @@ -0,0 +1,29 @@ +{ + "processors": [ + { + "rename": { + "field": "message2.kismet_device_base_macaddr", + "target_field": "client.mac" + } + }, + { + "rename": { + "field": "message2.dot11_device.dot11_device_last_bssid", + "target_field": "wireless.last_connected_bssid", + "if": "ctx?.message2?.dot11_device?.dot11_device_last_bssid != null" + } + }, + { + "foreach": { + "field": "message2.dot11_device.dot11_device_client_map", + "processor": { + "append": { + "field": "wireless.known_connected_bssid", + "value": "{{_ingest._key}}" + } + }, + "if": "ctx?.message2?.dot11_device?.dot11_device_client_map != null" + } + } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/kismet.common b/salt/elasticsearch/files/ingest/kismet.common new file mode 100644 index 0000000000..95eb29b732 --- /dev/null +++ b/salt/elasticsearch/files/ingest/kismet.common @@ -0,0 +1,158 @@ +{ + "processors": [ + { + "json": { + "field": "message", + "target_field": "message2" + } + }, + { + "date": { + "field": "message2.kismet_device_base_mod_time", + "formats": [ + "epoch_second" + ], + "target_field": "@timestamp" + } + }, + { + "set": { + "field": "event.category", + "value": "network" + } + }, + { + "dissect": { + "field": "message2.kismet_device_base_type", + "pattern": "%{wifi} %{device_type}" + } + }, + { + "lowercase": { + "field": "device_type" + } + }, + { + "set": { + "field": "event.dataset", + "value": "kismet.{{device_type}}" + } + }, + { + "set": { + "field": "event.dataset", + "value": "kismet.wds_ap", + "if": "ctx?.device_type == 'wds ap'" + } + }, + { + "set": { + "field": "event.dataset", + "value": "kismet.ad_hoc", + "if": "ctx?.device_type == 'ad-hoc'" + } + }, + { + "set": { + "field": "event.module", + "value": "kismet" + } + }, + { + "rename": { + "field": "message2.kismet_device_base_packets_tx_total", + "target_field": "source.packets" + } + }, + { + "rename": { + "field": "message2.kismet_device_base_num_alerts", + "target_field": "kismet.alerts.count" + } + }, + { + "rename": { + "field": "message2.kismet_device_base_channel", + "target_field": "wireless.channel", + "if": "ctx?.message2?.kismet_device_base_channel != ''" + } + }, + { + "rename": { + "field": "message2.kismet_device_base_frequency", + "target_field": "wireless.frequency", + "if": "ctx?.message2?.kismet_device_base_frequency != 0" + } + }, + { + "rename": { + "field": "message2.kismet_device_base_last_time", + "target_field": "kismet.last_seen" + } + }, + { + "date": { + "field": "kismet.last_seen", + "formats": [ + "epoch_second" + ], + "target_field": "kismet.last_seen" + } + }, + { + "rename": { + "field": "message2.kismet_device_base_first_time", + "target_field": "kismet.first_seen" + } + }, + { + "date": { + "field": "kismet.first_seen", + "formats": [ + "epoch_second" + ], + "target_field": "kismet.first_seen" + } + }, + { + "rename": { + "field": "message2.kismet_device_base_seenby", + "target_field": "kismet.seenby" + } + }, + { + "foreach": { + "field": "kismet.seenby", + "processor": { + "pipeline": { + "name": "kismet.seenby" + } + } + } + }, + { + "rename": { + "field": "message2.kismet_device_base_manuf", + "target_field": "device.manufacturer" + } + }, + { + "pipeline": { + "name": "{{event.dataset}}" + } + }, + { + "remove": { + "field": [ + "message2", + "message", + "device_type", + "wifi", + "agent", + "host" + ], + "ignore_failure": true + } + } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/kismet.device b/salt/elasticsearch/files/ingest/kismet.device new file mode 100644 index 0000000000..49d0c7ad71 --- /dev/null +++ b/salt/elasticsearch/files/ingest/kismet.device @@ -0,0 +1,9 @@ +{ + "processors": [ + { + "pipeline": { + "name": "kismet.client" + } + } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/kismet.seenby b/salt/elasticsearch/files/ingest/kismet.seenby new file mode 100644 index 0000000000..d41220d763 --- /dev/null +++ b/salt/elasticsearch/files/ingest/kismet.seenby @@ -0,0 +1,52 @@ +{ + "processors": [ + { + "rename": { + "field": "_ingest._value.kismet_common_seenby_num_packets", + "target_field": "_ingest._value.packets_seen", + "ignore_missing": true + } + }, + { + "rename": { + "field": "_ingest._value.kismet_common_seenby_uuid", + "target_field": "_ingest._value.serial_number", + "ignore_missing": true + } + }, + { + "rename": { + "field": "_ingest._value.kismet_common_seenby_first_time", + "target_field": "_ingest._value.first_seen", + "ignore_missing": true + } + }, + { + "rename": { + "field": "_ingest._value.kismet_common_seenby_last_time", + "target_field": "_ingest._value.last_seen", + "ignore_missing": true + } + }, + { + "date": { + "field": "_ingest._value.first_seen", + "formats": [ + "epoch_second" + ], + "target_field": "_ingest._value.first_seen", + "ignore_failure": true + } + }, + { + "date": { + "field": "_ingest._value.last_seen", + "formats": [ + "epoch_second" + ], + "target_field": "_ingest._value.last_seen", + "ignore_failure": true + } + } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/kismet.wds b/salt/elasticsearch/files/ingest/kismet.wds new file mode 100644 index 0000000000..1e426c4634 --- /dev/null +++ b/salt/elasticsearch/files/ingest/kismet.wds @@ -0,0 +1,10 @@ +{ + "processors": [ + { + "rename": { + "field": "message2.kismet_device_base_macaddr", + "target_field": "client.mac" + } + } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/kismet.wds_ap b/salt/elasticsearch/files/ingest/kismet.wds_ap new file mode 100644 index 0000000000..7f43d43fd9 --- /dev/null +++ b/salt/elasticsearch/files/ingest/kismet.wds_ap @@ -0,0 +1,22 @@ +{ + "processors": [ + { + "rename": { + "field": "message2.kismet_device_base_commonname", + "target_field": "wireless.bssid" + } + }, + { + "foreach": { + "field": "message2.dot11_device.dot11_device_associated_client_map", + "processor": { + "append": { + "field": "wireless.associated_clients", + "value": "{{_ingest._key}}" + } + }, + "if": "ctx?.message2?.dot11_device?.dot11_device_associated_client_map != null" + } + } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index e68d0441b5..c684c6154d 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -511,6 +511,7 @@ elasticsearch: so-suricata: *indexSettings so-import: *indexSettings so-kratos: *indexSettings + so-kismet: *indexSettings so-logstash: *indexSettings so-redis: *indexSettings so-strelka: *indexSettings diff --git a/salt/elasticsearch/templates/component/ecs/kismet.json b/salt/elasticsearch/templates/component/ecs/kismet.json new file mode 100644 index 0000000000..d388b71271 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/kismet.json @@ -0,0 +1,16 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "kismet_mapping_placeholder": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } +} \ No newline at end of file From 4097e1d81ab07f4f9e9b3e55599b9b66b63ae7a1 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 10 Apr 2024 16:10:27 -0400 Subject: [PATCH 2/7] Create mappings for Kismet integration Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 4 ++ .../templates/component/ecs/device.json | 36 ++++++++++++++++++ .../templates/component/ecs/kismet.json | 22 +++++++++-- .../templates/component/ecs/network.json | 37 +++++++++++++++++++ 4 files changed, 96 insertions(+), 3 deletions(-) create mode 100644 salt/elasticsearch/templates/component/ecs/device.json diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 048dd0c7fe..db1255dadb 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -10496,6 +10496,10 @@ elasticsearch: index_template: composed_of: - kismet-mappings + - source-mappings + - client-mappings + - device-mappings + - network-mappings - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: diff --git a/salt/elasticsearch/templates/component/ecs/device.json b/salt/elasticsearch/templates/component/ecs/device.json new file mode 100644 index 0000000000..a281f2c1ec --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/device.json @@ -0,0 +1,36 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/kismet.json b/salt/elasticsearch/templates/component/ecs/kismet.json index d388b71271..a03236ab8d 100644 --- a/salt/elasticsearch/templates/component/ecs/kismet.json +++ b/salt/elasticsearch/templates/component/ecs/kismet.json @@ -6,9 +6,25 @@ "template": { "mappings": { "properties": { - "kismet_mapping_placeholder": { - "type": "keyword", - "ignore_above": 1024 + "kismet": { + "properties": { + "alerts": { + "properties": { + "count": { + "type": "long" + } + } + }, + "first_seen": { + "type": "date" + }, + "last_seen": { + "type": "date" + }, + "seenby": { + "type": "nested" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/network.json b/salt/elasticsearch/templates/component/ecs/network.json index c2e35efd06..cc0f9d288b 100644 --- a/salt/elasticsearch/templates/component/ecs/network.json +++ b/salt/elasticsearch/templates/component/ecs/network.json @@ -77,6 +77,43 @@ "type": "keyword" } } + }, + "wireless": { + "properties": { + "associated_clients": { + "ignore_above": 1024, + "type": "keyword" + }, + "bssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel_utilization": { + "type": "float" + }, + "frequency": { + "type": "double" + }, + "ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssid_cloaked": { + "type": "boolean" + }, + "known_connected_bssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_connected_bssid": { + "ignore_above": 1024, + "type": "keyword" + } + } } } } From 2ab9cbba6131c508ee27293e759b6e62753c323d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 10 Apr 2024 16:12:22 -0400 Subject: [PATCH 3/7] Update wording for Kismet poll interval annotation Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticfleet/soc_elasticfleet.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 206febcd74..7ed97e6ec2 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -87,7 +87,7 @@ elasticfleet: advanced: True forcedType: string poll_interval: - description: Poll interval for wireless device data from Kismet. Integration is currently configured to report devices seen as active by any Kismet sensor within the last 600 seconds of polling. + description: Poll interval for wireless device data from Kismet. Integration is currently configured to return devices seen as active by any Kismet sensor within the last 10 minutes. global: True helpLink: elastic-fleet.html advanced: True From 7124f041388310e191c30fa97336c5f8f94c278c Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 10 Apr 2024 16:13:06 -0400 Subject: [PATCH 4/7] Update ingest pipelines to match updated mappings Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/files/ingest/kismet.ad_hoc | 2 +- salt/elasticsearch/files/ingest/kismet.ap | 14 +++++++------- salt/elasticsearch/files/ingest/kismet.bridged | 2 +- salt/elasticsearch/files/ingest/kismet.client | 4 ++-- salt/elasticsearch/files/ingest/kismet.common | 4 ++-- salt/elasticsearch/files/ingest/kismet.wds_ap | 4 ++-- 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/salt/elasticsearch/files/ingest/kismet.ad_hoc b/salt/elasticsearch/files/ingest/kismet.ad_hoc index 8cbc9cd2bb..adfbd79013 100644 --- a/salt/elasticsearch/files/ingest/kismet.ad_hoc +++ b/salt/elasticsearch/files/ingest/kismet.ad_hoc @@ -3,7 +3,7 @@ { "rename": { "field": "message2.kismet_device_base_macaddr", - "target_field": "wireless.bssid" + "target_field": "network.wireless.bssid" } } ] diff --git a/salt/elasticsearch/files/ingest/kismet.ap b/salt/elasticsearch/files/ingest/kismet.ap index 1b8cbb80e5..107f924fd5 100644 --- a/salt/elasticsearch/files/ingest/kismet.ap +++ b/salt/elasticsearch/files/ingest/kismet.ap @@ -3,35 +3,35 @@ { "rename": { "field": "message2.dot11_device.dot11_device_last_beaconed_ssid_record.dot11_advertisedssid_cloaked", - "target_field": "wireless.ssid_cloaked", + "target_field": "network.wireless.ssid_cloaked", "if": "ctx?.message2?.dot11_device?.dot11_device_last_beaconed_ssid_record?.dot11_advertisedssid_cloaked != null" } }, { "rename": { "field": "message2.dot11_device.dot11_device_last_beaconed_ssid_record.dot11_advertisedssid_ssid", - "target_field": "wireless.ssid", + "target_field": "network.wireless.ssid", "if": "ctx?.message2?.dot11_device?.dot11_device_last_beaconed_ssid_record?.dot11_advertisedssid_ssid != null" } }, { "set": { - "field": "wireless.ssid", + "field": "network.wireless.ssid", "value": "Hidden", - "if": "ctx?.wireless?.ssid_cloaked != null && ctx?.wireless?.ssid_cloaked == 1" + "if": "ctx?.network?.wireless?.ssid_cloaked != null && ctx?.network?.wireless?.ssid_cloaked == 1" } }, { "rename": { "field": "message2.dot11_device.dot11_device_last_beaconed_ssid_record.dot11_advertisedssid_dot11e_channel_utilization_perc", - "target_field": "wireless.channel_utilization", + "target_field": "network.network.wireless.channel_utilization", "if": "ctx?.message2?.dot11_device?.dot11_device_last_beaconed_ssid_record?.dot11_advertisedssid_dot11e_channel_utilization_perc != null" } }, { "rename": { "field": "message2.dot11_device.dot11_device_last_bssid", - "target_field": "wireless.bssid" + "target_field": "network.wireless.bssid" } }, { @@ -39,7 +39,7 @@ "field": "message2.dot11_device.dot11_device_associated_client_map", "processor": { "append": { - "field": "wireless.associated_clients", + "field": "network.wireless.associated_clients", "value": "{{_ingest._key}}" } }, diff --git a/salt/elasticsearch/files/ingest/kismet.bridged b/salt/elasticsearch/files/ingest/kismet.bridged index 5eee3b78cf..b61635e3aa 100644 --- a/salt/elasticsearch/files/ingest/kismet.bridged +++ b/salt/elasticsearch/files/ingest/kismet.bridged @@ -9,7 +9,7 @@ { "rename": { "field": "message2.dot11_device.dot11_device_last_bssid", - "target_field": "wireless.bssid" + "target_field": "network.wireless.bssid" } } ] diff --git a/salt/elasticsearch/files/ingest/kismet.client b/salt/elasticsearch/files/ingest/kismet.client index 8b3d3069b6..6da0a071b9 100644 --- a/salt/elasticsearch/files/ingest/kismet.client +++ b/salt/elasticsearch/files/ingest/kismet.client @@ -9,7 +9,7 @@ { "rename": { "field": "message2.dot11_device.dot11_device_last_bssid", - "target_field": "wireless.last_connected_bssid", + "target_field": "network.wireless.last_connected_bssid", "if": "ctx?.message2?.dot11_device?.dot11_device_last_bssid != null" } }, @@ -18,7 +18,7 @@ "field": "message2.dot11_device.dot11_device_client_map", "processor": { "append": { - "field": "wireless.known_connected_bssid", + "field": "network.wireless.known_connected_bssid", "value": "{{_ingest._key}}" } }, diff --git a/salt/elasticsearch/files/ingest/kismet.common b/salt/elasticsearch/files/ingest/kismet.common index 95eb29b732..368e7601a3 100644 --- a/salt/elasticsearch/files/ingest/kismet.common +++ b/salt/elasticsearch/files/ingest/kismet.common @@ -73,14 +73,14 @@ { "rename": { "field": "message2.kismet_device_base_channel", - "target_field": "wireless.channel", + "target_field": "network.wireless.channel", "if": "ctx?.message2?.kismet_device_base_channel != ''" } }, { "rename": { "field": "message2.kismet_device_base_frequency", - "target_field": "wireless.frequency", + "target_field": "network.wireless.frequency", "if": "ctx?.message2?.kismet_device_base_frequency != 0" } }, diff --git a/salt/elasticsearch/files/ingest/kismet.wds_ap b/salt/elasticsearch/files/ingest/kismet.wds_ap index 7f43d43fd9..4d10b211be 100644 --- a/salt/elasticsearch/files/ingest/kismet.wds_ap +++ b/salt/elasticsearch/files/ingest/kismet.wds_ap @@ -3,7 +3,7 @@ { "rename": { "field": "message2.kismet_device_base_commonname", - "target_field": "wireless.bssid" + "target_field": "network.wireless.bssid" } }, { @@ -11,7 +11,7 @@ "field": "message2.dot11_device.dot11_device_associated_client_map", "processor": { "append": { - "field": "wireless.associated_clients", + "field": "network.wireless.associated_clients", "value": "{{_ingest._key}}" } }, From fd689a4607a8f416b8cbf86905647cd8940ec47c Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 11 Apr 2024 11:18:04 -0400 Subject: [PATCH 5/7] Fix typo in ingest pipeline Test to fix duplicate events in SOC, by removing conflicting field event.created Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/files/ingest/kismet.ap | 2 +- salt/elasticsearch/files/ingest/kismet.common | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/files/ingest/kismet.ap b/salt/elasticsearch/files/ingest/kismet.ap index 107f924fd5..a864c09e4f 100644 --- a/salt/elasticsearch/files/ingest/kismet.ap +++ b/salt/elasticsearch/files/ingest/kismet.ap @@ -24,7 +24,7 @@ { "rename": { "field": "message2.dot11_device.dot11_device_last_beaconed_ssid_record.dot11_advertisedssid_dot11e_channel_utilization_perc", - "target_field": "network.network.wireless.channel_utilization", + "target_field": "network.wireless.channel_utilization", "if": "ctx?.message2?.dot11_device?.dot11_device_last_beaconed_ssid_record?.dot11_advertisedssid_dot11e_channel_utilization_perc != null" } }, diff --git a/salt/elasticsearch/files/ingest/kismet.common b/salt/elasticsearch/files/ingest/kismet.common index 368e7601a3..14d439105d 100644 --- a/salt/elasticsearch/files/ingest/kismet.common +++ b/salt/elasticsearch/files/ingest/kismet.common @@ -149,7 +149,8 @@ "device_type", "wifi", "agent", - "host" + "host", + "event.created" ], "ignore_failure": true } From 68e016090b2f456d62d280ffb4441ac47f62c2d0 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 11 Apr 2024 13:21:54 -0400 Subject: [PATCH 6/7] Fix network.wireless.ssid not parsing Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/templates/component/ecs/network.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/templates/component/ecs/network.json b/salt/elasticsearch/templates/component/ecs/network.json index cc0f9d288b..8cc6bdc370 100644 --- a/salt/elasticsearch/templates/component/ecs/network.json +++ b/salt/elasticsearch/templates/component/ecs/network.json @@ -103,7 +103,7 @@ "type": "keyword" }, "ssid_cloaked": { - "type": "boolean" + "type": "integer" }, "known_connected_bssid": { "ignore_above": 1024, From c269fb90acc4b56cfb2814105ec0e746de9808d6 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 11 Apr 2024 14:41:54 -0400 Subject: [PATCH 7/7] Added a Kismet Wifi devices dashboard for an overview of kismet data Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/soc/defaults.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 987011c991..0826f4957a 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1180,6 +1180,13 @@ soc: - soc_timestamp - event.dataset - message + ':kismet:': + - soc_timestamp + - device.manufacturer + - client.mac + - network.wireless.ssid + - network.wireless.bssid + - event.dataset server: bindAddress: 0.0.0.0:9822 baseUrl: / @@ -1819,6 +1826,9 @@ soc: - name: GeoIP - Source Organizations description: GeoIP tagged logs visualized by source organizations query: '* AND _exists_:source_geo.organization_name | groupby source_geo.organization_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source.geo.country_name | groupby event.dataset | groupby event.module' + - name: Kismet - WiFi Devices + description: WiFi devices seen by Kismet sensors + query: 'event.module: kismet | groupby network.wireless.ssid | groupby device.manufacturer | groupby -pie device.manufacturer | groupby event.dataset' job: alerts: advanced: false