Implementing a battling of malducks to stream malware data captured from the Elastic Endpoint to Elastic Cloud as configuration data.
Malware can be 'fowl'
But we can 'quack' its secrets
With our friend malduck
Build a solution that can execute in a container that can stream events from an Elasticsearch cluster that contains captured bytes from malware detected on the endpoint, process it using malduck with an ECS-friendly output, then store it in Elasticsearch (optionally, a different cluster)
When you check out this repo, you need to check it out with the submodule. The submodule contains the Python modules used for detecting and extracting malware configuration data.
git clone --recurse-submodules https://github.com/elastic/malware-exquacker.git
Now that you have the repo cloned, we recommmend building and running with Docker. You can do this in one step.
Build quietly and run:
docker run --rm -it $(docker build -q .) --help
Successful execution will require a configuration, for instance the following .env file (which can be passed to docker):
INPUT_CLOUD_ID=security-cluster:id
INPUT_ELASTICSEARCH_APIKEY=XXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXX
INPUT_ELASTICSEARCH_INDEX=logs-endpoint.alerts-*
OUTPUT_CLOUD_ID=security-cluster:id
OUTPUT_ELASTICSEARCH_APIKEY=XXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXX
Then, you can run like so:
docker run --rm -it --env-file .env $(docker build -q .) --help