Add Volatility3 memory forensics parsers for SOF-ELK integration#395
Open
Prof-GP wants to merge 1 commit intophilhagen:developfrom
Open
Add Volatility3 memory forensics parsers for SOF-ELK integration#395Prof-GP wants to merge 1 commit intophilhagen:developfrom
Prof-GP wants to merge 1 commit intophilhagen:developfrom
Conversation
This contribution adds support for ingesting Volatility3 memory forensics output into SOF-ELK via Filebeat and Logstash. Added components: - 8 Logstash filter configurations for 6 Volatility3 plugins (pslist, pstree, psscan, netscan, cmdline, netstat) - Filebeat input configuration for monitoring Volatility output directories - Python script for converting Volatility JSON output to NDJSON format - Documentation covering supported plugins and overview Features: - Process enumeration and hidden process detection - Network connection analysis with GeoIP enrichment - Command line analysis with attack pattern detection - Suspicious indicator tagging for threat hunting 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Owner
|
There's a lot to review here, but rest assured I'm taking a look as best as I can! I have a few questions queued up but want to hold those until I can batch them here (and make sure they are de-duplicated, logical, etc) |
Author
|
just following up |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This contribution adds support for ingesting Volatility3 memory forensics output into SOF-ELK via Filebeat and Logstash.
Added components:
Features: