linting

elastic · Sep 7, 2021 · 5d7443c · 5d7443c
1 parent 4e03962
commit 5d7443c
Show file tree

Hide file tree

Showing 7 changed files with 1,271 additions and 1,287 deletions.
diff --git a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml
@@ -1,138 +1,138 @@
 description: Pipeline for parsing Abuse.ch Malware Threat Intel
 processors:
-  ####################
-  # Event ECS fields #
-  ####################
-  - set:
-  field: event.ingested
-  value: "{{_ingest.timestamp}}"
-  - set:
-  field: event.kind
-  value: enrichment
-  - set:
-  field: event.category
-  value: threat
-  - set:
-  field: event.type
-  value: indicator
+ ####################
+ # Event ECS fields #
+ ####################
+ - set:
+ field: event.ingested
+ value: "{{_ingest.timestamp}}"
+ - set:
+ field: event.kind
+ value: enrichment
+ - set:
+ field: event.category
+ value: threat
+ - set:
+ field: event.type
+ value: indicator
 
-  ######################
-  # General ECS fields #
-  ######################
-  - rename:
-  field: json
-  target_field: threatintel.abusemalware
-  ignore_missing: true
+ ######################
+ # General ECS fields #
+ ######################
+ - rename:
+ field: json
+ target_field: threatintel.abusemalware
+ ignore_missing: true
 
-  #####################
-  # Threat ECS Fields #
-  #####################
-  - date:
-  field: threatintel.abusemalware.firstseen
-  target_field: threatintel.indicator.first_seen
-  formats:
-  - "yyyy-MM-dd HH:mm:ss z"
-  - "yyyy-MM-dd HH:mm:ss Z"
-  - "yyyy-MM-dd HH:mm:ss"
-  if: "ctx?.threatintel?.abusemalware.firstseen != null"
-  - set:
-  field: threatintel.indicator.type
-  value: file
-  - rename:
-  field: threatintel.abusemalware.file_size
-  target_field: threatintel.indicator.file.size
-  ignore_missing: true
-  - rename:
-  field: threatintel.abusemalware.file_type
-  target_field: threatintel.indicator.file.type
-  ignore_missing: true
-  # This includes a direct link to malicious files, we do not want them to appear in Kibana
-  # in case they are accidently clicked.
-  - remove:
-  field: threatintel.abusemalware.urlhaus_download
-  ignore_missing: true
-  - convert:
-  field: threatintel.indicator.file.size
-  type: long
-  ignore_missing: true
-  - rename:
-  field: threatintel.abusemalware.md5_hash
-  target_field: threatintel.indicator.file.hash.md5
-  ignore_missing: true
-  - rename:
-  field: threatintel.abusemalware.sha256_hash
-  target_field: threatintel.indicator.file.hash.sha256
-  ignore_missing: true
-  - rename:
-  field: threatintel.abusemalware.imphash
-  target_field: threatintel.indicator.file.pe.imphash
-  ignore_missing: true
-  - rename:
-  field: threatintel.abusemalware.ssdeep
-  target_field: threatintel.indicator.file.hash.ssdeep
-  ignore_missing: true
-  - rename:
-  field: threatintel.abusemalware.tlsh
-  target_field: threatintel.indicator.file.hash.tlsh
-  ignore_missing: true
-  - append:
-  field: related.hash
-  value: "{{ threatintel.indicator.file.hash.md5 }}"
-  if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null
-  - append:
-  field: related.hash
-  value: "{{ threatintel.indicator.file.hash.sha256 }}"
-  if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null
-  - append:
-  field: related.hash
-  value: "{{ threatintel.indicator.file.hash.ssdeep }}"
-  if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null
-  - append:
-  field: related.hash
-  value: "{{ threatintel.indicator.file.pe.imphash }}"
-  if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null
-  - append:
-  field: related.hash
-  value: "{{ threatintel.indicator.file.hash.tlsh }}"
-  if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null
+ #####################
+ # Threat ECS Fields #
+ #####################
+ - date:
+ field: threatintel.abusemalware.firstseen
+ target_field: threatintel.indicator.first_seen
+ formats:
+ - "yyyy-MM-dd HH:mm:ss z"
+ - "yyyy-MM-dd HH:mm:ss Z"
+ - "yyyy-MM-dd HH:mm:ss"
+ if: "ctx?.threatintel?.abusemalware.firstseen != null"
+ - set:
+ field: threatintel.indicator.type
+ value: file
+ - rename:
+ field: threatintel.abusemalware.file_size
+ target_field: threatintel.indicator.file.size
+ ignore_missing: true
+ - rename:
+ field: threatintel.abusemalware.file_type
+ target_field: threatintel.indicator.file.type
+ ignore_missing: true
+ # This includes a direct link to malicious files, we do not want them to appear in Kibana
+ # in case they are accidently clicked.
+ - remove:
+ field: threatintel.abusemalware.urlhaus_download
+ ignore_missing: true
+ - convert:
+ field: threatintel.indicator.file.size
+ type: long
+ ignore_missing: true
+ - rename:
+ field: threatintel.abusemalware.md5_hash
+ target_field: threatintel.indicator.file.hash.md5
+ ignore_missing: true
+ - rename:
+ field: threatintel.abusemalware.sha256_hash
+ target_field: threatintel.indicator.file.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: threatintel.abusemalware.imphash
+ target_field: threatintel.indicator.file.pe.imphash
+ ignore_missing: true
+ - rename:
+ field: threatintel.abusemalware.ssdeep
+ target_field: threatintel.indicator.file.hash.ssdeep
+ ignore_missing: true
+ - rename:
+ field: threatintel.abusemalware.tlsh
+ target_field: threatintel.indicator.file.hash.tlsh
+ ignore_missing: true
+ - append:
+ field: related.hash
+ value: "{{ threatintel.indicator.file.hash.md5 }}"
+ if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null
+ - append:
+ field: related.hash
+ value: "{{ threatintel.indicator.file.hash.sha256 }}"
+ if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null
+ - append:
+ field: related.hash
+ value: "{{ threatintel.indicator.file.hash.ssdeep }}"
+ if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null
+ - append:
+ field: related.hash
+ value: "{{ threatintel.indicator.file.pe.imphash }}"
+ if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null
+ - append:
+ field: related.hash
+ value: "{{ threatintel.indicator.file.hash.tlsh }}"
+ if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null
 
- ######################
- # Cleanup processors #
- ######################
- - set:
- field: threatintel.indicator.type
- value: unknown
- if: ctx?.threatintel?.indicator?.type == null
- - script:
- lang: painless
- if: ctx?.threatintel != null
- source: |
- void handleMap(Map map) {
- for (def x : map.values()) {
- if (x instanceof Map) {
- handleMap(x);
- } else if (x instanceof List) {
- handleList(x);
- }
- }
- map.values().removeIf(v -> v == null);
+ ######################
+ # Cleanup processors #
+ ######################
+ - set:
+ field: threatintel.indicator.type
+ value: unknown
+ if: ctx?.threatintel?.indicator?.type == null
+ - script:
+ lang: painless
+ if: ctx?.threatintel != null
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
  }
- void handleList(List list) {
- for (def x : list) {
- if (x instanceof Map) {
- handleMap(x);
- } else if (x instanceof List) {
- handleList(x);
- }
- }
- }
- handleMap(ctx);
- - remove:
- field:
- - threatintel.abusemalware.firstseen
- - message
- ignore_missing: true
+ }
+ }
+ handleMap(ctx);
+ - remove:
+ field:
+ - threatintel.abusemalware.firstseen
+ - message
+ ignore_missing: true
 on_failure:
-  - set:
-  field: error.message
-  value: "{{ _ingest.on_failure_message }}"
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"