forked from lrchma/LR-Utilities
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathLR-Timesketch_Export.ps1
More file actions
105 lines (69 loc) · 3.77 KB
/
LR-Timesketch_Export.ps1
File metadata and controls
105 lines (69 loc) · 3.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#requires -version 3
<#
.SYNOPSIS
Formats LogRhythm WebUI CSV export into usable format by TimeSketch
.DESCRIPTION
Formats LogRhythm WebUI CSV export into usable format by TimeSketch. Does work on assumption you're using American style dates (which is to say, the least sensical date format that ever was).
.PARAMETER <Parameter_Name>
-inputFile = LogRhythm WebUI CSV Export. Metadata and Raw Log
-outputFile = The TimeSketch formated CSV export
.INPUTS
LogRhythm WebUI CSV Export, including raw logs AND metadata
.OUTPUTS
TimeSketch CSV to user defined location
.NOTES
Version: 1.0
Author: @chrismartinit
Creation Date: Dec 2017
Purpose/Change: Initial script development
.EXAMPLE
.\LR_TimeSketch_Export -inputFile "c:\temp\12_28_2017-LogRhythm_WebLogsExport.csv" -outputFile "c:\temp\lr-ts-12-28-2017.csv"
#>
[CmdletBinding()]
Param(
[Parameter(Mandatory=$True,Position=1)]
[string]$inputFile,
[Parameter(Mandatory=$True,Position=2)]
[string]$outputFile
)
#---------------------------------------------------------[Initialisations]--------------------------------------------------------
#Set Error Action to Silently Continue
$ErrorActionPreference = "SilentlyContinue"
#----------------------------------------------------------[Declarations]----------------------------------------------------------
#-----------------------------------------------------------[Execution]------------------------------------------------------------
$csvOutput = @()
if(test-path -Path $inputFile){
write-debug "Input file successfully found."
$tempCsv = Import-Csv $inputFile
}else{
write-warning "Input file not found. Exiting."
exit
}
foreach($row in $tempCsv){
#Convert from shortdate format to ISO8601 ish format
$isoDateTime = [datetime]::ParseExact($row.'Log Date', "MM/dd/yyyy h:mm:ss tt", $null) | get-date -format s
$thisRow = New-Object System.Object
$thisRow | Add-Member -type NoteProperty -name message -value $row.'Log Message'
$thisRow | Add-Member -type NoteProperty -name timestamp -value $row.'First Log Date'
$thisRow | Add-Member -type NoteProperty -name datetime -value $isoDateTime
$thisRow | Add-Member -type NoteProperty -name timestamp_desc -value "UTC Write Time"
$thisRow | Add-Member -type NoteProperty -name classification -value $row.Classification
$thisRow | Add-Member -type NoteProperty -name common_event -value $row.'Common Event'
$thisRow | Add-Member -type NoteProperty -name mpe_regex_rule -value $row.'MPE Rule Name'
$thisRow | Add-Member -type NoteProperty -name log_source_type -value $row.'Log Source Type'
$thisRow | Add-Member -type NoteProperty -name log_source_name -value $row.'Log Source'
$thisRow | Add-Member -type NoteProperty -name vendor_message_id -value $row.'Vendor Message ID'
$thisRow | Add-Member -type NoteProperty -name user_origin -value $row.'User (Origin)'
$thisRow | Add-Member -type NoteProperty -name user_impacted -value $row.'User (Impacted)'
$thisRow | Add-Member -type NoteProperty -name host_origin -value $row.'Host (Origin)'
$thisRow | Add-Member -type NoteProperty -name host_impacted -value $row.'Host (Impacted)'
$thisRow | Add-Member -type NoteProperty -name ip_origin -value $row.'IP Address (Origin)'
$thisRow | Add-Member -type NoteProperty -name ip_impacted -value $row.'IP Address (Impacted)'
$thisRow | Add-Member -type NoteProperty -name location_origin -value $row.'Country (Origin)'
$thisRow | Add-Member -type NoteProperty -name location_impacted -value $row.'Country (Impacted)'
$csvOutput += $thisRow
}
$csvOutput | export-csv -Path $outputFile -NoTypeInformation
if(test-path -Path $outputFile){
write-output "$inputFile successfully exported to $inputFile."
}