PSElasticSearch.psm1

function Get-Elasticdata{
    param(
    $index,
    $body,
    $server,
    [string]$port="9200",
    [switch]$scroll,
    $size=100,
    $simplequery
    )
    
    if($scroll){
        #Send query and get scroll id for retrieval
        if ($simplequery -and !$body){ #if check for simple or complex query
            $scrollrequest=Invoke-RestMethod -Uri "http://$server`:$port/$index/_search/?q=$simplequery&scroll=1m" -Method get -ContentType 'application/json'
        }else{
            $scrollrequest=Invoke-RestMethod -Uri "http://$server`:$port/$index/_search/?scroll=1m" -Body $body -Method post -ContentType 'application/json'
        }
        
        #build object for scroll result retrival
        $scrollgetbody=[pscustomobject]@{
            scroll = "1m"
            scroll_id = "$($scrollrequest._scroll_id)"
        } | ConvertTo-Json
        #loop all scroll results
        do{
            $scrollreqresult=$null #reset variable so that end of results can be detected
            $scrollreqresult=Invoke-RestMethod -Uri "http://$server`:$port/_search/scroll" -Body $scrollgetbody -Method post -ContentType 'application/json' #get scroll results 10 at a time
            $scrollreqresult #output scroll results
        }while($scrollreqresult.hits.hits)#loop to output scroll results while there are results being delivered by elastic
    }
    else{ #If no scroll do query and return specified number of results
        if ($simplequery -and !$body){ #if check for simple or complex query
            Invoke-RestMethod -Uri "http://$server`:$port/$index/_search/?q=$simplequery&size=$size" -Method get -ContentType 'application/json'
        }else{
            Invoke-RestMethod -Uri "http://$server`:$port/$index/_search/?size=$size" -Body $body -Method post -ContentType 'application/json'
        }
    }
    
}


function Convert-Elasticdata {
    [CmdletBinding()]
    param(
    [Parameter(ValueFromPipeline)]$item,
    $inputtype,
    $resulttype
    )
    
    switch($inputtype){
    
        netflow {
            switch($resulttype){
                toptalkers {
                    $item.aggregations.source.buckets | ForEach-Object {
                        [pscustomobject]@{
                            Host = $_.key
    
                            Megabytes = [math]::round($_.totalbytes.value/1MB, 0)
                        }
                    }
                }
                topprotocols {
                    $item.aggregations.source.buckets | ForEach-Object {
                        [pscustomobject]@{
                            Protocol = $_.key
    
                            Megabytes = [math]::round($_.totalbytes.value/1MB, 0)
                        }
                    }
                }
            }
        }
        pfsense {
            switch ($resulttype){
                failedlogons {
                    $logon=$item.hits.hits._source | where {$_.message -like "*authentication error*"}
                    $failedlogons=$logon | ForEach-Object{
                        [pscustomobject]@{
                            username = $_.pfsense_USER
                            source_IP = $_.message.split(":")[2]
                        }
                    }
                    $failedlogons.username | sort | Get-Unique | ForEach-Object {
                        $tinput=$_
                        [pscustomobject]@{
                            username = $_
                            source_IP=($failedlogons | where {$_.username -eq $tinput}).source_IP | Get-Unique
                            attempts=($failedlogons | where {$_.username -eq $tinput}).count
                        }
                    }
                }
                openvpnfailedlogons{
                    $logon=$item.hits.hits._source
                    $logon | ForEach-Object{
                        [pscustomobject]@{
                            username = $_.message.split("'")[1]
                            time = $_."@timestamp" | get-date
                        }
                    }
                
                }
                firewallblocktop{
                    $item.aggregations.source.buckets | foreach-object {
                        [PSCustomObject]@{
                            IP = $_.key
                            Attempts = $_.doc_count
                        }
                    }
                }
            }
        }
        windows {
            switch ($resulttype){
                failedlogons {
                    $item.aggregations.source.buckets.doc_count | ForEach-Object {$totalcount+=[int]$_}
                    [PSCustomObject]@{
                        Username = "Total"
                        "Failed Attempts" = $totalcount
                    }
                    $item.aggregations.source.buckets | ForEach-Object {
                        [PSCustomObject]@{
                            Username = $_.key
                            "Failed Attempts" = $_.doc_count
                        }
                    }
                }
                fileDLP {
                    $item.hits.hits._source | ForEach-Object {
                        [pscustomobject]@{
                             user = $_.event_data.SubjectUserName
                             path = $_.event_data.ObjectName
                             time = "$($_."@timestamp" | get-date)"
                             audit = $_.keywords.replace("Audit ","")
                        }
                   } | sort $_.path | Get-Unique -AsString
                }
            }
        }
        
    
    }
     
}