OhMyMalware Security Data Loader

A Python utility for loading security data from the jamesspi/ohmymalware repository into Elasticsearch.

Features

• Downloads security events and alerts from the OhMyMalware repository
• Creates properly configured Elasticsearch indices for security data
• Sets up ingest pipelines for Elastic Security rule compatibility
• Handles various file formats (JSON, NDJSON, CSV, logs)
• Processes episode data from the repository

Requirements

• Python 3.6+
• Elasticsearch 7.x+
• Python packages: pandas, requests, elasticsearch

Installation

Using uv

# Install uv if you don't have it
curl -LsSf https://astral.sh/uv/install.sh | sh

# Create virtual environment and install dependencies
uv venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate
uv pip install -e .

Configuration

Edit the configuration section in main.py:

# Configuration - MODIFY THESE VALUES
ES_HOST = "localhost"  # Your Elasticsearch host
ES_PORT = 9200  # Your Elasticsearch port
ES_USER = "elastic"  # Your Elasticsearch username (if auth required)
ES_PASSWORD = "changeme"  # Your Elasticsearch password (if auth required)

Usage

python main.py

The script will:

1. Connect to your Elasticsearch instance
2. Create necessary indices and pipelines
3. Download and process security data
4. Index the data into the appropriate indices

Output

• Events are indexed into: logs-endpoint.events.imported
• Alerts are indexed into: logs-endpoint.alerts-imported
• An ingest pipeline is created: ohmymalware-security-pipeline

License

MIT