README.md

Filebeat modules and ingest pipelines

To protect our infrastructure I have analyzed our SW/HW logs and Elastic SIEM patterns and found that a lot of authentication messages patterns missing in filebeat tests and messages not parsed and not categorized appropriately that's why Elastic SIEM skips these events.

Below listed modules I have used and checked does it have event.category authentication.

Event module	Event dataset	Event category = Authentication	Issue	PR
Checkpoint	checkpoint.firewall	OK
Cisco	cisco.asa	Missing
Elasticsearch	elasticsearch.server	Missing	Issue
Fortinet	fortinet.firewall	Missing
Fortinet	fortinet.fortimanager	Missing	Issue1 Issue2
IIS	iis.access	N/A
IIS	iis.error	N/A
Juniper	juniper.junos	Missing
Kafka	kafka.log	PR - in progress	Issue	PR - in progress
Mongodb	mongodb.log	PR - in progress	Issue	PR - in progress
MSSQL	mssql.log	Missing
MySQL	mysql.error	PR - accepted	Issue	PR - accepted
MySQL	mysql.slowlog	N/A
Netflow	netflow.log	N/A
Nginx	nginx.access	N/A
Nginx	nginx.error	PR - in progress	Issue	PR - in progress
Oracle	oracle.database_audit	PR - accepted	Issue	PR - accepted
Postgresql	postgresql.log	PR - in progress	Issue	PR - in progress
Rabbitmq	rabbitmq.log	OK	Issue
Redis	redis.log	N/A
Squid	squid.log	?
System	system.auth	Some patterns missing	Issue
System	system.syslog	N/A

Filebeat modules which I plan to create from existing logstash patterns:

Module	Status	Comment
ACS
Atlassian Confluence		There is elastic integration
Atlassian Jira		There is elastic integration
Authelia
Brocade
ESET
Gitlab
HP 3par
HP 3par-vsp
HP BladeSwitch
HP ILO
HP MSA
HP Onboard Administrator
Microsoft Exchange	PR - in progress
Mikrotik
Multifactor
Nemesida
Netapp
Netgear
Netscaler
Nextcloud
Nexus
Oracle alert.log dataset	Issue
Pleasant Password Server
Postfix	PR - in progress
Unify
VMware ESXi
VMware vCenter
VMware NSX-V
VMware vROPs
Windows Firewall
Other		add later