Security Logs Logstash Plugins Repository

Are you using or planning to use ELK and need to digest logs from various products? You’re in the right place…

Visit our Github page:  https://github.com/empow/logstash-parsers

empow’s SIEM logstash pipeline is an open source repository containing logstash-based configuration pipelines for the digestion of logs generated by various products and vendors. The output is mapped to the Elastic Common Schema (ECS). In some cases, additional fields that have security value and do not exist in the ECS can be added.

In addition, some plugins can be used to enrich security logs with information about the attacker’s intent according to the cyber-kill-chain and MITRE ATT&CK representation language, using empow’s threat classification plugin.

What do you get?

  1. Parsers for logs from various products and vendors
  2. Logstash pipeline-based structure to streamline the digestion of various logs
  3. Output to Elastic (or other destination) based on ECS
  4. Enrichment for intent classification, powered by empow (optional)
  5. Since Logstash is configurable, you can modify the plugins and pipeline for your specific needs
  6. Community to share and keep up-to-date plugins

Note: the plugins are based on log samples and vendors’ documentation. We are continuously updating and enriching the plugins. We encourage you to share examples and enhancements to improve the plugins and to keep them up-to-date with latest product versions. Please contact us at support@empow.co for and questions or updates.

To begin using the plugins repository, visit our Github page:  https://github.com/empow/logstash-parsers

Recommended: Extend your functionality of the pipeline with empow’s threat classification plugin

The empow classification plugin extends the functionality of logstash by classifying your log data, using the empow classification center, for attack intent and attack stage.  Click here for more information on the benefits of using empow’s threat classification plugin.

To add empow’s intent threat classification to the output based on the setup described above, the following steps are required:

  1. Register to empow’s classification center (it’s free and no private information is sent to empow’s classification center) – to register please fill out the form on this page.
    NOTE: the username and password in the registration form shall be used as the plugin credentials.
  2. Use empow’s classification virtual output, by modifying the output of each parser as described here.

For any questions or clarifications please contact us at support@empow.co

If you’d like to register to the empow classification center, please fill out this form:

  • at least 8 characters as well as small and big letters and special characters

Recommended: Extend your functionality of the pipeline with empow’s threat classification plugin

The empow classification plugin extends the functionality of logstash by classifying your log data, using the empow classification center, for attack intent and attack stage.  Click here for more information on the benefits of using empow’s threat classification plugin.

To add empow’s intent threat classification to the output based on the setup described above, the following steps are required:

  1. Register to empow’s classification center (it’s free and no private information is sent to empow’s classification center) – to register please fill out the form on this page.
    NOTE: the username and password in the registration form shall be used as the plugin credentials.
  2. Use empow’s classification virtual output, by modifying the output of each parser as described here.

For any questions or clarifications please contact us at support@empow.co