Has anyone managed to get Shodan.io alerts into Elastic SIEM? I'm trying to use kubi-ecs-logger logging library and the shodan python api to send ECS alerts and wondered if anyone is interested in collaborating?
H
Ok I've figured out a crude implementation, in summary :
- Setup shodan to monitor for new_services / unknown
- run the shodan cli
shodan stream --alert=all --compresslevel 0 --datadir=/local - run a filebeat prospector with the following config
filebeat.inputs:
- type: log
paths:
- "/local/*"
json.add_error_key: true
fields_under_root: true
fields:
event:
type: "change"
kind: "alert"
module: "shodan"
category: "network"
TODO
- fields are not yet mapped to the Elastic Common Schema - a python script needs to be written to poll the API and map shodan fields to ECS
Here is the result :
1 Like
Hi hilt86,
Woa, that is really cool! You should put what you have on a github project and make it into a python package for people to collaborate on?
With just what you have above, you should be able to create signals from it at this point. But enriching the data by transforming what makes sense into ECS will make it even more useful.
Yeah that would be cool - is there a python lib for ECS that would make this easier?
There might be some things that are helpful in some of the folders within ECS:
such as this:
and a schema reader:
But I haven't added any contributions or used the python generators before. It's interesting though as the definitions of ECS are in yml files and there's hooks to generate things from the schema such as ECS mappings, etc...
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.