A dockerized solution to ingest CISA's Known Exploited Vulnerabilities (JSON) via Logstash (v8.X) w/ the new Sentinel plugin and using Azure Data Collection Rule (DCR), Data Collection Endpoint (DCE) and a JSON Sample file.
The sample file used is a small subset CISA's file located here.
Limited testing has been done.
The goal of this effort is to provide the user a way of obtaining additional insight and intelligence leveraged from CISA as it relates to known exploited CVE's.
See cited resources below for a more detailed explanation.
Microsoft: Azure DCR API Tutorial
Medium: Azure DCR API Tutorial
CISA - Known Exploited Vulnerabilities Catalog
- You have required access to an Azure tenant
- You have administrative access to a supported Linux VM (on premises or in cloud)
- You're connected to the Internet
- Install Docker & Docker Compose, Git, Python3, Logstash w/ new Sentinel plugin is installed:
-
[/usr/share/logstash/bin/logstash-plugin install microsoft-sentinel-logstash-output-plugin]
-
Ubuntu/Debian: sudo apt update && sudo apt upgrade -y && sudo apt install python3-dev
-
RedHat/Rocky: sudo dnf update && sudo dnf upgrade -y && sudo dnf install python3-devel
-
- You have the required access to build and run Docker containers
- You can clone or download and unzip this repository
git clone https://github.com/dcodev1702/cisa_known_exploited_cves.gitcd cisa_known_exploited_cvesCommerical Azure Portal
US Government Azure Portal
Create Data Collection Endpoint (DCE) in Azure Monitor
Create Custom Table via Log Analytrics Workspace
- Select the DCE you just created
- Use sample json file 'cisa-cveids-json-oneliner-sample.json' for KQL transformation.
- Write KQL to normalize and transform the data as you desire.
Create App Registration w/ Secret
sudo vi ./logstash/pipeline/cisa-cveids-dcr-sentinel.confConfigure Logstash Sentinel Plugin to use DCE/DCR API (logstash/pipeline/cisa-cveids-dcr-sentinel.conf)
- Client App ID
- Client App Secret
- Tenant ID
- Data Collection Endpoint (ingest url)
- DCR Immutahle ID
- DCR Stream Name (Custom-YOUR_CUSTOM_TABLE_CL) Configure IAM in DCR
- Add Role: Monitoring Metrics Publisher -> Application Registration
Start Logstash Container via Docker Compose
docker-compose up -d!!! Right now, pulling down the CISA CVE Catalog is a manual process however, this will be fixed soon !!!
docker exec -it logstash bash
./cisa_cve_cronjob.sh
/usr/bin/python3 cisa_cve_compact_json.py
exitStop Logstash Container via Docker Compose
docker-compose downAzure - Log Analytics
Once the Logstash container build is complete and running it will do the following.
- Bash script enables a pre-configured cron job.
- Cron job pre-configured to run once a day (change frequency as you desire)
- The crong job will call a Python script
- The Python script will get the CISA's known exploited CVEs JSON file from their website.
- TODO: Add logic to Python script to compare dateReleased in order to determine if a new catalog update should be applied!
- Existing dateReleased (/var/log/cisa_cveids/cveids-oneliner.log) : CISA Catalog URL dateReleased ? [update | don't update]
- The Python script wlll compact the downloaded JSON into one line and output to /var/log/cisa_cveids/cveids-oneliner.log
- The Logstash Sentinel Plugin is configured to send that vuln data via the DCE/DCR REST API
- docker logs logstash -f
- docker logs logstash -f
- In the Azure portal, go to your Log Analytics Workspace -> Logs -> select your Custom Log -> Validate the CVE data was ingested.
- Combine this information to create custom alerts/analytics to ensure your environment is free of known/active exploited CVEs